POPI 7 Final

SEVENTH WORKING DRAFT: 19 June 2012(Portfolio Committee: Justice and Constitutional Development)

PROTECTION OF PERSONAL INFORMATION BILL

1. Words underlined “XXX XXX” and highlighted in “grey”: proposed additions to introduced Bill as per instruction by Technical Committee;

2. Words in square brackets “[XXX XXX]” and highlighted in “grey”: proposed omissions from introduced Bill as per instruction by Technical Committee.

Technical Committee: Seventh Draft: 19 June 2012

B9Version7C(PPIRedraftPC(1))

GENERAL EXPLANATORY NOTE:

[ ] Words in bold type in square brackets indicate omissions from existing enactments.

___________ Words underlined with a solid line indicate insertions in existing enactments._____________________________________________________________________________________

B I L L

To promote the protection of personal information processed by public and private bodies; to introduce [information protection principles] certain conditions so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information [Protection] Regulator; to provide for the issuing of codes of conduct[s]; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate the flow of personal information across the borders of the Republic; and to provide for matters connected therewith.

PREAMBLE

RECOGNISING THAT—

* section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy;

* the right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information;

* the State must respect, protect, promote and fulfil the rights in the Bill of Rights;

AND BEARING IN MIND THAT—

* consonant with the constitutional values of democracy and openness, the need for economic and social progress, within the framework of the information society, requires the removal of unnecessary impediments to the free flow of information, including personal information;

AND IN ORDER TO—

* regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests,

PARLIAMENT1 of the Republic of South Africa therefore enacts as follows:—

CONTENTS OF ACT

CHAPTER 1DEFINITIONS AND PURPOSE

1. Definitions2. Purpose of Act

CHAPTER 2APPLICATION PROVISIONS

1 Ms Smuts proposes that the word “THE” should be inserted before the word “PARLIAMENT”.

2


3. Application and interpretation of Act4. Rights of data subjects5. Lawful processing of personal information[4] 6. Exclusions7. Exclusion for journalistic purposes[5. Saving6. Act applies to public and private bodies]

CHAPTER 3CONDITIONS FOR LAWFUL PROCESSING OF PERSONAL INFORMATION

Part A[Information Protection Principles] Processing of personal information in general

[Principle 1] Condition 1Accountability

[7] 8. Responsible party to [give effect to principles] ensure conditions for lawful processing

[Principle 2] Condition 2Processing limitation

[8] 9. Lawfulness of processing [9] 10. Minimality [10] 11. Consent, justification and objection [11] 12. Collection directly from data subject

[Principle 3] Condition 3Purpose specification

[12] 13. Collection for specific purpose [13. Data subject aware of purpose of collection of information] 14. Retention and restriction of records

[Principle 4] Condition 4Further processing limitation

15. Further processing to be compatible with purpose of collection

[Principle 5] Condition 5Information quality

16. Quality of information

[Principle 6] Condition 6Openness

17. Notification to Regulator [and to data subject]18. Notification to data subject when collecting personal information

[Principle 7] Condition 7Security safeguards

[18] 19. Security measures on integrity of personal information [19] 20. Information processed by operator or person acting under authority [20] 21. Security measures regarding information processed by operator

3


[21] 22. Notification of security compromises

[Principle 8] Condition 8Data subject participation

[22] 23. Access to personal information [23] 24. Correction of personal information [24] 25. Manner of access

Part BProcessing of special personal information

[25] 26. Prohibition on processing of special personal information27. General authorisation concerning special personal information[26] 28. [Exemption] Authorisation concerning data subject’s [religion] religious or philosophical beliefs [27] 29. [Exemption] Authorisation concerning data subject’s race or ethnic origin[28] 30. [Exemption] Authorisation concerning data subject’s trade union membership[29] 31. [Exemption] Authorisation concerning data subject’s political persuasion[30] 32. [Exemption] Authorisation concerning data subject’s health or [sexual] sex life[31] 33. [Exemption] Authorisation concerning data subject’s criminal behaviour[32. General exemption concerning special personal information]

Part CProcessing of personal information of children

34. Prohibition on processing personal information of children35. General authorisation concerning personal information of children

CHAPTER 4EXEMPTION FROM [INFORMATION PROTECTION PRINCIPLES] CONDITIONS FOR PROCESSING OF

PERSONAL INFORMATION

[33] 36. General[34] 37. Regulator may [authorise] exempt processing of personal information

CHAPTER 5SUPERVISION

Part AInformation [Protection] Regulator

[35] 38. Establishment of Information [Protection] Regulator39. Powers, [and] duties and functions of Regulator[36] 40. [Constitution and period of office of Regulator] Appointment, period of and removal from office of

members of Regulator 41. Vacancies42. Powers, duties and functions of Chairperson and other members43. Regulator to have regard to certain matters44. Conflict of interest[37] 45. Remuneration, allowances, benefits and privileges of members[38] 46. [Secretary and staff] Staff47. Powers, duties and functions of Chief Executive Officer[39] 48. Committees of Regulator49. Establishment of Enforcement Committee50. Functions of Enforcement Committee[40] 51. Meetings of Regulator

4


[41] 52. Funds[42] 53. Protection of Regulator[43. Powers and duties of Regulator44. Regulator to have regard to certain matters45. Programmes of Regulator46. Reports of Regulator][47] 54 . Duty of confidentiality

Part BInformation [Protection] Officer

[48] 55. Duties and responsibilities of Information [Protection] Officer[49] 56. Designation and delegation of deputy information [protection] officers

CHAPTER 6NOTIFICATION AND PRIOR [INVESTIGATION] AUTHORISATION

Part ANotification

[50] 57. Notification of processing[51] 58. Notification to contain specific particulars[52] 59. Exemptions to notification requirements[53] 60. Register of information processing[54] 61. Failure to notify

Part BPrior [investigation] Authorisation

[55] 62. Processing subject to prior [investigation] authorisation[56] 63. Responsible party to notify Regulator if processing is subject to prior [investigation]

authorisation64. Failure to notify processing subject to prior authorisation

CHAPTER 7CODES OF CONDUCT

[57] 65. Issuing of codes of conduct[58] 66. [Proposal] Process for issuing [of] codes of conduct[59] 67. Notification, availability and commencement of code68. Procedure for dealing with complaints[60] 69. Amendment and revocation of codes[61. Procedure for dealing with complaints][62] 70. Guidelines about codes of conduct[63] 71. Register of approved codes of conduct[64] 72. Review of operation of approved code of conduct[65] 73. Effect of failure to comply with code

CHAPTER 8RIGHTS OF DATA SUBJECTS REGARDING UNSOLICITED ELECTRONIC

COMMUNICATIONS, DIRECTORIES AND AUTOMATED DECISION MAKING

[66] 74. Unsolicited electronic communications[67] 75. Directories[68] 76. Automated decision making

CHAPTER 9TRANSBORDER INFORMATION FLOWS

5


[69] 77. Transfers of personal information outside Republic

CHAPTER 10ENFORCEMENT

[70] 78. Interference with protection of personal information of data subject[71] 79. Complaints[72] 80. Mode of complaints to Regulator[73] 81. [Investigation by Regulator] Action on receipt of complaint[74. Action on receipt of complaint][75] 82. Regulator may decide to take no action on complaint[76] 83. Referral of complaint to regulatory body[77] 84. Pre-investigation proceedings of Regulator[78] 85. Settlement of complaints[79] 86. Investigation proceedings of Regulator[80] 87. Issue of warrants[81] 88. Requirements for issuing of warrant[82] 89. Execution of warrants[83] 90. Matters exempt from search and seizure[84] 91. Communication between legal adviser and client exempt[85] 92. Objection to search and seizure[86] 93. Return of warrants[87] 94. Assessment[88] 95. Information notice96. Parties to be informed of result of assessment[89] 97. Parties to be informed of developments during and result of investigation[90] 98. Enforcement notice[91] 99. Cancellation of enforcement notice[92] 100. Right of appeal[93] 101. Consideration of appeal[94] 102. Civil remedies

CHAPTER 11OFFENCES AND PENALTIES

[95] 103. Obstruction of Regulator[96] 104. Breach of confidentiality[97] 105. Obstruction of execution of warrant[98] 106. Failure to comply with enforcement or information notices107. Offences by witnesses108. Unlawful acts by responsible party in connection with unique identifier109. Unlawful acts by third parties in connection with unique identifier[99] 110. [Penal sanctions] Penalties[100] 111. Magistrate’s Court jurisdiction to impose penalties111A. Administrative fines

CHAPTER 12GENERAL PROVISIONS

[101] 112. [Repeal and amendment] Amendment of laws113. Fees[102] 114. Regulations115. Procedure for making regulations[103] 116. Transitional arrangements[104] 117. Short title and commencement

6


SCHEDULE Laws [repealed and] amended by section [101] 112

CHAPTER 1DEFINITIONS AND PURPOSE

Definitions

1. In this Act, unless the context indicates otherwise—["automatic calling machine" means a machine that is able to do automated calls without human intervention;]2

"biometrics" means a technique of personal identification that is based on physical, physiological or behavioural [characteristics] characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition;"child"[, for purposes of section 25(1),] means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself;3

Option:4

"child" means a natural person under the age of [18] 13 years;

"code of conduct" means a code of conduct issued in terms of Chapter 7;"consent" means any voluntary, specific and informed expression of will in terms of which a data subject or a competent person agrees to the processing of personal information relating to him or her or, as the case may be, relating to a child;

Option:5

"consent" means any voluntary, specific and informed expression of will in terms of which a data subject or a competent person agrees to the processing of personal information relating to him or her or, as the case may be, relating to a child and includes the failure on the side of a data subject or competent person to object or opt out when given a reasonable opportunity to do so;

"Constitution" means the Constitution of the Republic of South Africa, 1996;“ competent person ” means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child;

Option:6

“ Data bank ”, means a significant collection or grouping of personal information under the control of a responsible party that─(a) has been processed, is being processed or is available for processing; or(b) is organised or intended to be retrieved by─

(i) the name of a data subject ;(ii) an unique identifier; or(iii) other search criteria.

"data subject" means the person to whom personal information relates;"de-identify", in relation to personal information of a data subject, means to delete any information that—(a) identifies the data subject;(b) can be used or manipulated by a reasonably foreseeable method to identify the data

subject; or

2 Term is used only once in clause 74 and has therefore been inserted in that clause.3 The definitions of “parent” and “parental consent” are restrictive and do not take account of cases where a child may act with the

assistance of another person who is not a parent of the child. The provision has been drafted to provide for those cases where a child can act on his or her own without the assistance of another person.

4 Option proposed by Dr Oriani-Ambrosini.5 Option proposed by Dr Oriani-Ambrosini.6 Option proposed by Dr Oriani-Ambrosini.

7


(c) can be linked by a reasonably foreseeable method to other information that identifies the data subject[;] ,

and “de-identified” has a corresponding meaning;["electronic mail" or "e-mail"] " electronic communication " means any text, voice, sound or image message sent over [a public] an electronic communications network which [can be] is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient;"enforcement notice" means a notice issued in terms of section [90] 98;"filing system" means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria;7

["head" of, or in relation to, a private body means a head of a body as defined in section 1 of the Promotion of Access to Information Act;]8

"information matching programme" means the comparison, whether manually or by means of any electronic or other device, of any document that contains personal information about ten or more data subjects with one or more documents that contain personal information of ten or more data subjects, for the purpose of producing or verifying information that may be used for the purpose of taking any action in regard to an identifiable data subject;["information notice" means a notice issued in terms of section 88]9

"information [protection] officer" of, or in relation to, a—(a) public body means an information officer or deputy information officer as contemplated in

terms of section 1 or 17 [of the Promotion of Access to Information Act]; or(b) private body means the head of a private body as contemplated in section 1 [of the Promotion

of Access to Information],of the Promotion of Access to Information Act;"Minister" means the Cabinet member responsible for the administration of justice;"operator" means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;["parent" includes either the parent of a child or the child’s legal guardian;"parental consent" means any voluntary, specific and informed expression of will in terms of which the parent of a child agrees to the processing of personal information relating to that child;]10

"person" means a natural person or a juristic person;"personal information" means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or

social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

(b) information relating to the education or the medical, financial, criminal or employment history of the person;

(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;

(d) the [blood type or any other] biometric information of the person;(e) the personal opinions, views or preferences of the person;(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential

nature or further correspondence that would reveal the contents of the original correspondence;

(g) the views or opinions of another individual about the person; and(h) the name of the person if it appears with other personal information relating to the person

or if the disclosure of the name itself would reveal information about the person;Option:11

"personal information" means information, excluding blocked information, relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

7 Additional wording inserted to align the definition to the definition of “filing system” which is reflected in the Draft EU Regulation.8 The term “head” is not used in any of the substantive provisions of the Bill and is therefore redundant. It is proposed that

the definition should be deleted.9 Since the term “information notice” is only used in clauses 95 and 106 it is recommended that it should be deleted. 10 The definitions have been replaced with the definitions of “child” and “competent person”. 11 Option proposed by Dr Oriani-Ambrosini.

8


(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;


(c) any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;

(d) the blood type or any other biometric information of the person;(e) the personal opinions, views or preferences of the person;(f) correspondence sent by the person that is implicitly or explicitly of a private or

confidential nature or further correspondence that would reveal the contents of the original correspondence;

(g) the views or opinions of another individual about the person; [and](h) the name of the person if it appears with other personal information relating to the

person or if the disclosure of the name itself would reveal information about the person; and

(i) consumer or purchasing preferences or patterns:Provided that such information is—(i) used or meant to be used in trade or commerce; (ii) not in the public domain in the same or in a different format; or(iii) held by a public body;

"prescribed" means prescribed by regulation or by a code of conduct;["prior investigation" means an investigation conducted by the Regulator in terms of Part B of Chapter 6;]12

"private body" means—(a) a natural person who carries or has carried on any trade, business or profession, but only

in such capacity;(b) a partnership which carries or has carried on any trade, business or profession; or(c) any former or existing juristic person, but excludes a public body;"processing" means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including— (a) the collection, receipt, recording, organisation, collation, storage, updating or modification,

retrieval, alteration, consultation or use;(b) dissemination by means of transmission, distribution or making available in any other

form; or(c) merging, linking, as well as [blocking] restriction,13 degradation, erasure or destruction of

information;

Option:14

"processing" means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including— (a) the collection, receipt, recording, [organisation, collation, storage, updating or modification, retrieval,

alteration, consultation or use];(b) dissemination by means of transmission, distribution or making available in any

other form; or(c) merging, linking, as well as blocking, degradation, erasure or destruction of

information;but excludes the collection, storage or updating of blocked information;

"professional legal adviser" means any legally qualified person, whether in private practice or not, who lawfully provides a client, at his or her or its request, with independent, confidential legal advice;

12 Since the term “prior investigation” is only used once before Part B of Chapter 6 it is recommended that the definition should be deleted.

13 The term “blocking” has been replaced by the term “restriction” in the Draft EU Regulation.14 Option proposed by Dr Oriani-Ambrosini.

9


Option15

“ professional legal adviser ” means a legal practitioner or a person whose occupation involves the giving of legal advice;

"Promotion of Access to Information Act" means the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000);"public body" means—(a) any department of state or administration in the national or provincial sphere of

government or any municipality in the local sphere of government; or(b) any other functionary or institution when—

(i) exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or

(ii) exercising a public power or performing a public function in terms of any legislation;

["public communications network" means an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services;]"public record" means a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that public body;"record" means any recorded information—(a) regardless of form or medium, including any of the following:

(i) Writing on any material;(ii) information produced, recorded or stored by means of any tape-recorder, computer

equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;

(iii) label, marking or other writing that identifies or describes any thing of which it forms part, or to which it is attached by any means;

(iv) book, map, plan, graph or drawing;(v) photograph, film, negative, tape or other device in which one or more visual

images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;

(b) in the possession or under the control of a responsible party;(c) whether or not it was created by a responsible party; and(d) regardless of when it came into existence;"Regulator" means the Information [Protection] Regulator established in terms of section [35] 38;"re-identify", in relation to personal information of a data subject, means to resurrect any information that has been de-identified, that—(a) identifies the data subject;(b) can be used or manipulated by a reasonably foreseeable method to identify the data

subject; or(c) can be linked by a reasonably foreseeable method to other information that identifies the

data subject,and “re-identified” has a corresponding meaning;"Republic" means the Republic of South Africa;"responsible party" means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;["subscriber" means any person who is party to a contract with the provider of publicly available electronic communications services for the supply of such services;] 16 [and]“ restriction ” means to withhold from circulation, use or publication any personal information that forms part of a filing system, but not to delete or destroy such information;

Option:17

“ blocked ” as referred to information means information which placed contained in a data bank which─

15 Option proposed by Dr Oriani-Ambrosini.16 Term only used in clause 75 and has therefore been inserted in that clause.17 Option proposed by Dr Oriani-Ambrosini.

10


(a) remains un-used and inaccessible for as long as it is unused and inaccessible, provided that safeguards are in place to verify whether it is used or accessed, or

(b) is kept in a place or in manner which prevent the use of such information as prescribed;

"this Act" includes any regulation or code of conduct made under this Act; and“ unique identifier ” means any identifier that is assigned to a data subject by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.18

Purpose of Act

2. [(1)] The purpose of this Act is to—(a) give effect to the constitutional right to privacy, by safeguarding personal information when

processed by a responsible party, subject to justifiable limitations that are aimed at—(i) balancing the right to privacy against other rights, particularly the right of access to

information; and(ii) protecting important interests, including the free flow of information within the

Republic and across international borders;(b) regulate the manner in which personal information may be processed, by establishing

[principles] conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information;

(c) provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act; and

(d) establish voluntary and compulsory measures, including the establishment of an Information [Protection] Regulator, to ensure respect for and to promote, enforce and fulfil the rights protected by this Act.

[(2) This Act must be interpreted in a manner that—(a) gives effect to the purposes of the Act set out in subsection (1); and(b) does not prevent any public or private body from exercising or performing its powers, duties and functions in terms of the

law as far as such functions, powers and duties relate to the processing of personal information and such processing is in accordance with this Act or any other legislation that regulates the processing of personal information.]19

Option:20

(e) not to infringe upon or detract from any right or liberty granted under the Constitution or any other law.

CHAPTER 2APPLICATION PROVISIONS

Application and interpretation of Act

3. (1) This Act applies to the processing of personal information─ [entered in a record by or for a responsible party─(a) domiciled in the Republic; or(b) which is not domiciled in the Republic, using automated or non-automated means situated in the Republic, unless those

means are used only for forwarding personal information,provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof.](a) entered in a record by or for a responsible party by making use of automated or non-

automated means: Provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof; and

(b) where the responsible party is—(i) domiciled in the Republic and the information is processed in the Republic; or

18 See amendment of definition in clause 108(5) for purposes of clarification.19 Subclause (2) duplicated in clause 3(3). Since subcluase (2) deals with the interpretation of the Act and not the purpose

thereof, it has been inserted in clause 3(3).20 Option proposed by Dr oriani-Ambrosini who pointed out that “This amendment, read together with the rephrased exclusion

clause, addresses the valid concerns submitted by the Editors’ Forum, especially in respect of the bill’s apparent unconstitutionality if it violates the freedom of speech of all, even when the media is excluded from its scope of application to protect its specific freedom of speech.”.

11


(ii) not domiciled in the Republic, but makes use of automated or non-automated means that are situated in the Republic, unless those means are used only to forward personal information through the Republic . (2) (a)21 This Act applies, subject to paragraph (b) , to the exclusion of any

provision of any other legislation that regulates the processing of personal information and that is materially inconsistent with an object, or a specific provision, of this Act.

(b) If any other legislation provides for conditions for the lawful processing of personal information that are more extensive than those set out in Chapter 3, the extensive conditions prevail.

(3) This Act must be interpreted in a manner that—(a) gives effect to the purpose of the Act set out in section 2; and(b) does not prevent any public or private body from exercising or performing its powers,

duties and functions in terms of the law as far as such functions, powers and duties relate to the processing of personal information and such processing is in accordance with this Act or any other legislation, as referred to in subsection (2), that regulates the processing of personal information.

(4) “Automated means”, for the purposes of this section, means any equipment capable of operating automatically in response to instructions given for the purpose of processing information.

Rights of data subjects

4. A data subject has the right to have his, her or its personal information processed by or for a responsible party in accordance with the conditions for the lawful processing of personal information as referred to in Chapter 3 , including the right─ (a) to object , on reasonable grounds relating to his, her or its particular situation to the

processing of his, her or its personal information as provided for in terms of section 11;(b) to be notified that─

(i) personal information about him, her or it is being collected as provided for in terms of section 18; or

(ii) his, her or its personal information has been accessed or acquired by an unauthorised person as provided for in terms of section 22;

(c) to establish whether a responsible party holds personal information of that data subject and to request access to his, her or its personal information as provided for in terms of section 23;

(d) to request, where necessary, the correction, destruction or deletion of his, her or its personal information as provided for in terms of section 24;

(e) to refuse the processing of his, her or its personal information for the purpose of direct marketing by means of unsolicited electronic communications as provided for in terms of section 74;

(f) not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person as provided for in terms of section 76;

(g) to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator as provided for in terms of section 79; and

(h) to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information as provided for in section 102.

Lawful processing of personal information

5. (1) The conditions for the lawful processing of personal information by or for a responsible party are the following:

21 The proposed new wording of paragraph (a) aim to clarify the operation of the Act in relation to other legislation that regulates the processing of personal information in a similar fashion to the provisions of section 5 of PAIA. Clause 3(2) represents an alternative version of the original clause 5 (as introduced).

12


(a) “Accountability”, as referred to in section 8; (b) “Processing limitation”, as referred to in sections 9 to 12;(c) “Purpose specification”, as referred to in sections 13 and 14;(d) “Further processing limitation”, as referred to in section 15;(e) “Information quality”, as referred to in section 16;(f) “Openness”, as referred to in sections 17 and 18;(g) “Security safeguards”, as referred to in sections 19 to 22; and(h) “Data subject participation”, as referred to in sections 23 to 25.

(2) The conditions, as referred to in subsection (1) are not applicable to the processing of personal information to the extent that—(a) such processing is excluded, in terms of section 6, from the operation of this Act; or(b) the Regulator has granted an exemption, in terms of section 37, from one or more of the

conditions concerned in relation to such processing.(3) The processing of the special personal information of a data subject is

prohibited in terms of section 26, except if the—(a) provisions of sections 27 to 33 are applicable; or(b) Regulator has granted an authorisation in terms of section 27(2),in which case, subject to section 37, the conditions for the lawful processing of personal information as referred to in Chapter 3 must be complied with.

(4) The processing of the personal information of a child is prohibited in terms of section 34, except if the─(a) provisions of section 35(1) are applicable; or(b) Regulator has granted an authorisation in terms of section 35(2),in which case, subject to section 37, the conditions for the lawful processing of personal information as referred to in Chapter 3 must be complied with.

(5) The conditions for the lawful processing of personal information by or for a responsible party for the purpose of — (a) direct marketing are reflected in Chapter 3; and(b) direct marketing by means of unsolicited electronic communications are , subject to section

74, reflected in Chapter 3.(6) Sections 65 to 73 provide for the development, in appropriate

circumstances, of codes of conduct for purposes of clarifying how the conditions referred to in subsection (1), subject to any exemptions which may have been granted in terms of section 37, are to be applied, or are to be complied with within a particular sector.

Exclusions

[4] 6. (1) This Act does not apply to the processing of personal information—(a) in the course of a purely personal or household activity;

Option 1:22

(a) in the course of a [purely personal] non-commercial, non-governmental or household activity;

(b) that has been de-identified to the extent that it cannot be re-identified again;

(c) by or on behalf of [the State] a public body and—(i) which involves national security, including activities that are aimed at assisting in

the identification of the financing of terrorist and related activities, defence or public safety; or

(ii) the purpose of which is the prevention, detection, including activities that are aimed at assisting in the identification of the proceeds of unlawful activities and the combating of money laundering activities, investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures,

to the extent that adequate safeguards have been established in [specific] legislation for the protection of such personal information;

22 Option proposed by Dr Oriani-Ambrosini.

13


Option:23

To delete paragraph (c).

[(d) for exclusively journalistic purposes by responsible parties who are subject to, by virtue of office, employment or profession, a code of ethics that provides adequate safeguards for the protection of personal information;]24

(d) solely for the purpose of literary or artistic expression, to the extent that such an exclusion is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression;25

Option 1:26

(d) by any person for the purpose of bona fide literary or artistic expression;

Option 2:27

(d) by any person for the purpose of literary or artistic expression;

(e) by the Cabinet and its committees[,] and the Executive Council of a province [and a Municipal Council of a municipality]; or

Option:To delete paragraph (e).

(f) relating to the judicial functions of a court referred to in section 166 of the Constitution[; or

(g) that has been exempted from the application of the information protection principles in terms of section 34].28

(2) “Terrorist and related activities”, for purposes of subsection (1) (c) , means those activities referred to in section 4 of the Protection of Constitutional Democracy against Terrorist and Related Activities Act, 2004 (Act No. 33 of 2004).

Exclusion for journalistic purposes

7. (1) This Act does not apply to the processing of personal information for exclusively journalistic purposes by responsible parties who are subject to, by virtue of office, employment or profession, a code of ethics that provides adequate safeguards for the protection of personal information.

(2) In the event that a dispute may arise in respect of whether adequate safeguards have been provided for in a code as required in terms of subsection (1) or not, regard may be had to—(a) the special importance of the public interest in freedom of expression;(b) domestic and international standards balancing the—

(i) public interest in allowing for the free flow of information to the public through the media in recognition of the right of the public to be informed; and

(ii) public interest in safeguarding the protection of personal information of data subjects;

(c) the need to secure the integrity of personal information;(d) domestic and international standards of professional integrity for journalists; and(e) the nature and ambit of self-regulatory forms of supervision provided by the profession.

Option:29

7. This Act does not apply to the processing of personal information for any purpose embodying the exercise of a right protected under the Constitution, including but not limited to exclusively journalistic purposes by responsible parties who are subject

23 Option proposed by Dr Oriani-Ambrosini and Ms Smuts.24 Subclause inserted in separate clause, see clause 7.25 Paragraph (d) proposed by the Chairperson of the Technical Committee.26 Option proposed by Ms Smuts.27 Option proposed by Dr Oriani-Ambrosini.28 Paragraph (g) is a duplication of clause 37 and does not fit in this clause which deals with exclusions from the Act.29 Option proposed by Dr Oriani-Ambrosini.

14


to, by virtue of office, employment or profession, a code of ethics that provides adequate safeguards for the protection of personal information to the extent that such code provides sufficient guidelines─(i) for such responsible parties in the processing of personal information

which is substantially similar to the conditions for the lawful processing of such information as referred to in Chapter 3 ; and

(ii) balance the right to privacy against the right to freedom of expression in the particular context of information processing for journalistic purposes.

[Saving30

5. (1) This Act does not affect the operation of any other legislation that regulates the processing of personal information and is capable of operating concurrently with this Act.

(2) If any other legislation provides for safeguards for the protection of personal information that are more extensive than those set out in the information protection principles, the extensive safeguards prevail.

Act applies to public and private bodies

6. This Act applies to all public and private bodies.]

CHAPTER 3CONDITIONS FOR LAWFUL PROCESSING OF PERSONAL INFORMATION

Part A[Information Protection Principles] Processing of personal information in general

[Principle 1] Condition 1Accountability

Responsible party to [give effect to principles] ensure conditions for lawful processing Option:31

Responsible party to [give effect to principles] ensure compliance with conditions for lawful processing

[7.] 8. The responsible party must ensure that the [principles] conditions set out in this Chapter, and all the measures that give effect to [the principles] such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.

[Principle 2] Condition 2Processing limitation

Lawfulness of processing

[8.] 9. Personal information must be processed—(a) lawfully; and(b) in a reasonable manner that does not infringe the privacy of the data subject

unnecessarily32.

Minimality

[9.] 10. Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

30 Clause 5 has been inserted in clause 3(3). As far as clause 6 is concerned, it should be noted that the terms “responsible party”, “public body” and “private body” is defined and it is therefore clear that the Act applies to both public and private bodies. It is recommended that clause 6 should be omitted from the Bill.

31 Option proposed by Dr Oriani-Ambrosini.32 32 The word “unnecessarily” has been inserted to highlight the notion that some degree of prima facie infringement is

permissible.

15


Option:33

[Minimality] Right to privacy

[9.] 10. [Personal information may only be processed if, given the purpose for which it is processed, it is

adequate, relevant and not excessive.] Unless authorised under the law or objectively necessary for the completion of the transaction concerned, no-one shall be required to provide or disclose personal information as a condition for the completion of a transaction or the receipt of a benefit.

Consent, justification and objection

[10.] 11. (1) Personal information may only be processed if—(a) the data subject or a competent person where the data subject is a child consents to the

processing;(b) processing is necessary to carry out actions for the conclusion or performance of a

contract to which the data subject is party;(c) processing complies with an obligation imposed by law on the responsible party;(d) processing protects a legitimate interest of the data subject;(e) processing is necessary for the proper performance of a public law duty by a public body;

or(f) processing is necessary for pursuing the legitimate interests of the responsible party or of

a third party to whom the information is supplied.(2) (a) The responsible party bears the burden of proof for the data

subject’s or competent person’s consent as referred to in subsection (1) (a) . (b) The data subject or competent person may withdraw his, her or its

consent, as referred to in subsection (1) (a) , at any time: Provided that the lawfulness of the processing of personal information before such withdrawal will not be affected.

[(2)](3) A data subject may object, at any time, on reasonable grounds relating to his, her or its particular situation, in the prescribed manner, to the processing of personal information in terms of subsection (1)(d) to (f), [unless otherwise provided for in national legislation] unless legislation provides for such processing.34

[(3)] (4) If a data subject has objected to the processing of personal information in terms of subsection [(2)] (3), the responsible party may no longer process the personal information.

Collection directly from data subject

[11.] 12. (1) Personal information must be collected directly from the data subject, except as otherwise provided for in subsection (2).

(2) It is not necessary to comply with subsection (1) if—(a) the information is contained in or derived from a public record or has deliberately been

made public by the data subject; (b) the data subject or a competent person where the data subject is a child has consented to

the collection of the information from another source;(c) collection of the information from another source would not prejudice a legitimate interest

of the data subject;(d) collection of the information from another source is necessary—

(i) to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;

(ii) [to enforce a law imposing a pecuniary penalty;(iii)] to comply with an obligation imposed by law or35 to enforce legislation concerning

the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);

33 Option proposed by Dr Oriani-Ambrosini.34 The amendment is proposed for clarity purposes.35 Amendment proposed by FIC.

16


[(iv)](iii) for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;

[(v)](iv) in the [legitimate] interests of national security; or[(vi)](v) to maintain the legitimate interests of the responsible party or of a third party to

whom the information is supplied;Option:36

(vi) for the protection of a right or a legitimate interest;

(e) compliance would prejudice a lawful purpose of the collection; or(f) compliance is not reasonably practicable in the circumstances of the particular case.

Option:37

(g) the information─ (i) is or is placed in a data bank operating in terms of a code of conduct; or (ii) is transferred from a data bank operating in terms of a code of conduct to

another data bank or entity operating in terms of a code of conduct.

[Principle 3] Condition 3Purpose specification

Collection for specific purpose

[12.] 13. (1) Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.

(2) Steps must be taken in accordance with section 18(1) to ensure that the data subject is aware of the purpose of the collection of the information unless the provisions of section 18(4) are applicable.38

[Data subject aware of purpose of collection of information

13. Steps must be taken in accordance with section 17(2) to ensure that the data subject is aware of the purpose of the collection of the information as referred to in section 12.]

Retention and restriction of records

14. (1) Subject to subsections (2) and (3), records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless—(a) retention of the record is required or authorised by law;(b) the responsible party reasonably requires the record for lawful purposes related to its

functions or activities;(c) retention of the record is required by a contract between the parties thereto; or(d) the data subject or a competent person where the data subject is a child has consented to

the retention of the record.

Option:39

(1) Subject to subsections (2) and (3), records of personal information must not be retained [any] longer than [is] necessary for achieving the purpose for which the information was collected or subsequently processed, unless—(a) retention of the record is required or authorised by law;(b) the responsible party reasonably requires the record for lawful purposes related to

its functions or activities;(c) retention of the record is required by a contract between the parties thereto; [or]

36 Option proposed by Dr Oriani-Ambrosini.37 Option proposed by Dr Oriani-Ambrosini who pointed out that “There is no reason to outlaw the selling of mailing lists or

commercial information when the data subjects have agreed and the information is processed and used in terms of the Act.”.38 The Technical Committee requested that clause 13 (as introduced) should be inserted in clause 12 (as introduced) because

of the close link between the two clauses.39 Proposal by Dr Oriani-Ambrosini.

17


(d) the data subject has [consented] assented to the retention of the record; or(e) the purpose for which the information was collected or subsequently processed is

or becomes part of a data bank: Provided that such data bank 40 ─ (i) is maintained and operated under a code of conduct; and(ii) data from it is made available only─

(aa) to persons operating under a code of conduct; or(bb) subject to the restrictions set out in a code of conduct.

(2) Records of personal information may be retained for periods in excess of those contemplated in subsection (1) for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.

Option:41

(2) Records of personal information may be retained for periods in excess of those contemplated in subsection (1) for historical, statistical, non-commercial, or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.

(3) A responsible party that has used a record of personal information of a data subject to make a decision about the data subject, must—(a) retain the record for such period as may be required or prescribed by law or a code of

conduct; or(b) if there is no law or code of conduct prescribing a retention period, retain the record for a

period which will afford the data subject a reasonable opportunity, taking all considerations relating to the use of the personal information into account, to request access to the record.

(4) A responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record in terms of subsection (1) or (2).

(5) The destruction or deletion of a record of personal information in terms of subsection (4) must be done in a manner that prevents its reconstruction in an intelligible form.

(6) The responsible party must restrict processing of personal information if—(a) its accuracy is contested by the data subject, for a period enabling the responsible party to

verify the accuracy of the information;(b) the responsible party no longer needs the personal information for achieving the purpose

for which the information was collected or subsequently processed, but it has to be maintained for purposes of proof;

(c) the processing is unlawful and the data subject opposes its destruction or deletion and requests the restriction of its use instead; or

(d) the data subject requests to transmit the personal data into another automated processing system.

(7) Personal information referred to in subsection (6) may, with the exception of storage, only be processed for purposes of proof, or with the data subject's consent, or for the protection of the rights of another natural or legal person or for an objective of public interest.

(8) Where processing of personal information is restricted pursuant to subsection (6), the responsible party must inform the data subject before lifting the restriction on processing.

[Principle 4] Condition 4Further processing limitation

Further processing to be compatible with purpose of collection

40 Refer to clause 1 for proposed definition of “data bank”.41 Option proposed by Dr Oriani-Ambrosini.

18


15. (1) Further processing of personal information must be in accordance or compatible with the purpose for which it was collected in terms of [principle 3] section 13.

(2) To assess whether further processing is compatible with the purpose of collection, the responsible party must take account of—(a) the relationship between the purpose of the intended further processing and the purpose

for which the information has been collected;(b) the nature of the information concerned;(c) the consequences of the intended further processing for the data subject;(d) the manner in which the information has been collected; and(e) any contractual rights and obligations between the parties.

(3) The further processing of personal information is [compatible] not incompatible42 with the purpose of collection if—(a) the data subject or a competent person where the data subject is a child has consented to

the further processing of the information;(b) the information is available in or derived from a public record or has deliberately been

made public by the data subject;(c) further processing is necessary—

(i) to avoid prejudice to the maintenance of the law by any public body including the prevention, detection, investigation, prosecution and punishment of offences;

(ii) [to enforce a law imposing a pecuniary penalty;(iii)] to comply with an obligation imposed by law or43 to enforce legislation concerning

the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);

[(iv)](iii) for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or

[(v)](iv) in the [legitimate] interests of national security;(d) the further processing of the information is necessary to prevent or mitigate a serious and

imminent threat to—(i) public health or public safety; or(ii) the life or health of the data subject or another individual;

(e) the information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in an identified form; or

(f) the further processing of the information is in accordance with an [authority] exemption granted under section [34] 37.

[Principle 5] Condition 5Information quality

Quality of information

16. (1) The responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.

(2) In taking the steps referred to in subsection (1), the responsible party must have regard to the purpose for which personal information is collected or further processed.

[Principle 6] Condition 6Openness

Notification to Regulator [and to data subject]

17. (1) Personal information may only be processed by a responsible party that has notified the Regulator in terms of Chapter 6.

42 Proposed amendment to be inserted to clarify meaning of subclause.43 Amendment proposed by FIC.

19


(2) [If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of—(a) the information being collected;(b) the name and address of the responsible party;(c) the purpose for which the information is being collected;(d) whether or not the supply of the information by that data subject is voluntary or mandatory;(e) the consequences of failure to provide the information;(f) any particular law authorising or requiring the collection of the information; and(g) any further information such as the—

(i) recipient or category of recipients of the information;(ii) nature or category of the information; and(iii) existence of the right of access to and the right to rectify the information collected,

which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.

(3) The steps referred to in subsection (2) must be taken—(a) if the personal information is collected directly from the data subject, before the information is collected, unless the data

subject is already aware of the information referred to in that subsection; or(b) in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.

(4)] A responsible party that compiles or has compiled a manual and made it available in terms of section 14 or 51 of the Promotion of Access to Information Act, does not have to comply with subsection (1) if all the particulars referred to in section [51] 58 of this Act are contained in the manual.

[(5) A responsible party that has previously taken the steps referred to in subsection (2) complies with subsection (2) in relation to the subsequent collection from the data subject of the same information or information of the same kind if the purpose of collection of the information is unchanged.

(6) It is not necessary for a responsible party to comply with subsection (2) if—(a) the data subject has provided consent for the non-compliance;(b) non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;(c) non-compliance is necessary—


(ii) to enforce a law imposing a pecuniary penalty;(iii) to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue

Service Act, 1997 (Act No. 34 of 1997);(iv) for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably

contemplated; or(v) in the interests of national security;

(d) compliance would prejudice a lawful purpose of the collection;(e) compliance is not reasonably practicable in the circumstances of the particular case; or(f) the information will—

(i) not be used in a form in which the data subject may be identified; or(ii) be used for historical, statistical or research purposes.]

Notification to data subject when collecting personal information44

18. (1) If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of—(a) the information being collected and w here the information is not collected from the data

subject, the source from which it is collected ; (b) the name and address of the responsible party;(c) the purpose for which the information is being collected;(d) whether or not the supply of the information by that data subject is voluntary or mandatory;(e) the consequences of failure to provide the information;(f) any particular law authorising or requiring the collection of the information;(g) the fact that, where applicable, the responsible party intends to transfer the information to

a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;

(h) any further information such as the—(i) recipient or category of recipients of the information;(ii) nature or category of the information; (iii) existence of the right of access to and the right to rectify the information collected;

44 Technical Committee requested that provisions of clause 17, dealing with notification of data subject should be distinguished from provisions of that clause dealing with notification of Regulator. The provisions of clause 17(2), (3), (5) and (6) are now reflected in clause 18(1) to (4).

20


(iv) the existence of the right to object to the processing of personal information as referred to in section 11(3) ; and

(v) the right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator,

which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.

(2) The steps referred to in subsection (1) must be taken—(a) if the personal information is collected directly from the data subject, before the

information is collected, unless the data subject is already aware of the information referred to in that subsection; or

(b) in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.

(3) A responsible party that has previously taken the steps referred to in subsection (1) complies with subsection (1) in relation to the subsequent collection from the data subject of the same information or information of the same kind if the purpose of collection of the information remains the same.

(4) It is not necessary for a responsible party to comply with subsection (1) if—(a) the data subject or a competent person where the data subject is a child has provided

consent for the non-compliance;(b) non-compliance would not prejudice the legitimate interests of the data subject as set out

in terms of this Act;(c) non-compliance is necessary—


(ii) to comply with an obligation imposed by law or45 to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);

(iii) for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or

(iv) in the interests of national security;(d) compliance would prejudice a lawful purpose of the collection;(e) compliance is not reasonably practicable in the circumstances of the particular case; or(f) the information will—

(i) not be used in a form in which the data subject may be identified; or(ii) be used for historical, statistical or research purposes.

[Principle 7] Condition 7Security Safeguards

Security measures on integrity of personal information

[18.] 19. (1) A responsible party must secure the integrity and confidentiality46 of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—(a) loss of, damage to or unauthorised destruction of personal information; and(b) unlawful access to or processing of personal information.

(2) In order to give effect to subsection (1), the responsible party must take reasonable measures to—(a) identify all reasonably foreseeable internal and external risks to personal information in its

possession or under its control;(b) establish and maintain appropriate safeguards against the risks identified;(c) regularly verify that the safeguards are effectively implemented; and

45 Insertion of words “to comply with an obligation imposed by law or” proposed by FIC.46 Proposed amendment approved by Technical Committee on 7/11/11. See also clause 21(2).

21


(d) ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

(3) The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

Information processed by operator or person acting under authority

[19.] 20. An operator or anyone processing personal information on behalf of a responsible party or an operator, must—(a) process such information only with the knowledge or authorisation of the responsible

party; and(b) treat personal information which comes to their knowledge as confidential and must not

disclose it,unless required by law or in the course of the proper performance of their duties.

Security measures regarding information processed by operator

[20.] 21. (1) A responsible party must ensure that an operator which processes personal information for the responsible party establishes and maintains the security measures referred to in section [18] 19.

(2) The processing of personal information for a responsible party by an operator on behalf of the responsible party must be governed by a written contract between the operator and the responsible party, which requires the operator to establish and maintain integrity and confidentiality [and security] measures to ensure the [integrity] security of the personal information.

(3) If the operator is not domiciled in the Republic, the responsible party must take reasonably practicable steps to ensure that the operator complies with the laws, if any, relating to the protection of personal information of the territory in which the operator is domiciled.

(4) The operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.47

Option:48

Subclause (3) to be deleted.

Notification of security compromises

[21.] 22. (1) Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party[, or any third party processing personal information under the authority of a responsible party,] must notify [the]—(a) the Regulator; and(b) subject to subsection (3), the data subject, unless the identity of such data subject cannot be established.

(2) The notification referred to in subsection (1) must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.

(3) The responsible party may only delay notification of the data subject if [the South African Police Service, the National Intelligence Agency] a public body responsible for the prevention, detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation of the public body concerned49.

(4) The notification to a data subject referred to in subsection (1) must be in writing and communicated to the data subject in at least one of the following ways:47 Wording based on the provisions of Article 31(2) of EU Regulation.48 Option proposed by Dr Oriani-Ambrosini.49 Amendment proposed to ensure that all public bodies involved in stipulated activities are included under ambit of

subclause. See also amendment proposed i.r.o “Exemption concerning data subject’s health” provision.

22


(a) Mailed to the data subject’s last known physical or postal address;(b) sent by e-mail to the data subject’s last known e-mail address;(c) placed in a prominent position on the website of the responsible party;(d) published in the news media; or(e) as may be directed by the Regulator.

(5) [A] The notification referred to in subsection (1) must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including—(a) a description of the possible consequences of the security compromise; (b) a description of the measures that the responsible party intend to take or have taken to

address the security compromise;(c) a recommendation with regard to the measures to be taken by the data subject to mitigate

the possible adverse effects of the security compromise; and(d) if known to the responsible party, the identity of the unauthorised person who may have

accessed or acquired the personal information. 50

(6) The Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.

[Principle 8] Condition 8Data subject participation

Access to personal information

[22.] 23. (1) A data subject, having provided adequate proof of identity, has the right to—(a) request a responsible party to confirm, free of charge, whether or not the responsible party

holds personal information about the data subject; and(b) request from a responsible party the record or a description of the personal information

about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information—(i) within a reasonable time;(ii) at a prescribed fee, if any[, that is not excessive];(iii) in a reasonable manner and format; and(iv) in a form that is generally understandable.

(2) If, [in accordance with subsection (1)(b)] in response to a request in terms of subsection (1), personal information is communicated to a data subject, the data subject must be advised of the right in terms of section [23] 24 to request the correction of information.

(3) If a data subject is required by a responsible party to pay a fee for services provided to the data subject in terms of subsection (1)(b) to enable the responsible party to respond to a request, the responsible party—(a) must give the applicant a written estimate of the fee before providing the services; and(b) may require the applicant to pay a deposit for all or part of the fee.

(4) (a) A responsible party may or must refuse, as the case may be, to disclose any information requested in terms of subsection (1) to which the grounds for refusal of access to records set out in the applicable sections of Chapter 4 of Part 2 and Chapter 4 of Part 3 of the Promotion of Access to Information Act apply.

(b) The provisions of sections 30 and 61 of the Promotion of Access to Information Act are applicable in respect of access to health or other records.

(5) If a request for access to personal information is made to a responsible party and part of that information may or must be refused in terms of subsection (4)(a), every other part must be disclosed.

50 Wording based on Article 31(3)(c) to (e) of EU Regulation.

23


Correction of personal information

[23.] 24. (1) A data subject may request a responsible party, in the prescribed manner, to—(a) correct or delete personal information about the data subject in its possession or under its

control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or

(b) destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain in terms of section 14.

(2) On receipt of a request in terms of subsection (1) a responsible party must—(a) correct the information;(b) destroy or delete the information;(c) provide the data subject, to his or her satisfaction, with credible evidence in support of the

information; or(d) where agreement cannot be reached between the responsible party and the data subject,

and if the data subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.

(3) If the responsible party has taken steps under subsection (2) that result in a change to the information and the changed information has an impact on decisions that have been or will be taken in respect of the data subject in question, the responsible party must, if reasonably practicable, inform each person or body or responsible party to whom the personal information has been disclosed of those steps.

(4) The responsible party must notify a data subject, who has made a request in terms of subsection (1), of the action taken as a result of the request.

Manner of access

[24.] 25. The provisions of sections 18 and 53 of the Promotion of Access to Information Act apply to requests made in terms of section[s 22 and 23] 23 of this Act.

Part BProcessing of special personal information

Prohibition on processing of special personal information

[25.] 26. [Unless specifically permitted by this Part a responsible party may not process personal information concerning a—(a) child who is subject to parental control in terms of the law; or(b) data subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health,

sexual life or criminal behaviour.] A responsible party may not process personal information concerning—

(a) the religious or philosophical beliefs, race or ethnic origin, trade union membership, political [opinions] persuasion , health or sex life [DNA] or biometric information of a data subject; or

(b) the criminal behaviour of a data subject to the extent that such information relate to—(i) the commission or alleged commission by a data subject of any offence; or(ii) any proceedings in respect of any offence committed or allegedly committed by a

data subject, the disposal of such proceedings or any sentence that has been imposed by a court in such proceedings.51

General [exemption] authorisation concerning special personal information

51 Paragraph (b), previously clause 31(5), is based on section 2(g) and (h) of the UK Act. Paragraph (b) is restricted to, among others, “any sentence that has been imposed by a court”. The question is raised whether reference to “any order by a court”, and possibly reference to “expunged convictions” should also be included in paragraph (b). The Technical Committee decided that that this matter should be further discussed in the Portfolio Committee.

24


[32.]27 . [Without prejudice to sections 26 to 31, the] (1) The prohibition on processing personal information, as referred to in section [25] 26, does not apply if the— (a) processing is carried out with the consent of a data subject referred to in section 26;(b) processing is necessary for the establishment, exercise or defence of a right or obligation

in law;(c) processing is necessary to comply with an obligation of international public law;

Option:52

(c) processing is necessary to comply with an obligation of international [public] law;

[(d) Regulator has granted authority in terms of section 34 for processing in the public interest, and appropriate guarantees have been put in place in law to protect the data subject’s privacy; or]

[(e)](d) processing is for historical, statistical or research purposes to the extent that ─ (i) the purpose serves a public interest and the processing is necessary for the

purpose concerned; or(ii) it appears to be impossible or would involve a disproportionate effort to ask for

express consent,and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent;

(e) [insofar as section 25(b) is concerned if—(i) processing is carried out with the consent of the data subject; or(ii) the] information has deliberately been made public by the data subject; or

(f) provisions of sections 28 to 33 are, as the case may be, complied with.(2) The Regulator may, subject to subsection (3), upon application by a

responsible party and by notice in the Gazette , authorise a responsible party to process special personal information if such processing is in the public interest and appropriate safeguards have been put in place to protect the personal information of the data subject.

(3) The Regulator may impose reasonable conditions in respect of any authorisation granted under subsection (2).

[Exemption] Authorisation concerning data subject’s religious or philosophical beliefs

[26] 28 . (1) The prohibition on processing personal information concerning a data subject’s religious or philosophical beliefs, as referred to in section [25] 26, does not apply if the processing is carried out by—(a) spiritual or religious organisations, or independent sections of those organisations[: Provided

that] if─(i) the information concerns data subjects belonging to those organisations; or(ii) it is necessary to achieve their aims and principles ; 53

(b) institutions founded on religious or philosophical principles with respect to their members or employees or other persons belonging to the institution, if it is necessary to achieve their aims and principles; or

(c) other institutions: Provided that the processing is necessary to protect the spiritual welfare of the data subjects, unless they have indicated that they object to the processing.

(2) In the cases referred to in subsection (1)(a), the prohibition does not apply to processing of personal information concerning the religion or philosophy of life of family members of the data subjects, if—(a) the association concerned maintains regular contact with those family members in

connection with its aims; and(b) the family members have not objected in writing to the processing.

Option:54

Subclause (2) to be deleted.

52 Option proposed by Dr Oriani-Ambrosini.53 The proposed amendment aims to extend the ambit of paragraph (a) beyond members of the organisations concerned, in line with the

request by the Technical Committee.54 Option proposed by Dr Oriani-Ambrosini.

25


(3) In the cases referred to in subsections (1) and (2), personal information concerning a data subject’s religious or philosophical beliefs may not be supplied to third parties without the consent of the data subject.

[Exemption] Authorisation concerning data subject’s race or ethnic origin

[27] 29 . The prohibition on processing personal information concerning a data subject’s race or ethnic origin, as referred to in section [25] 26, does not apply if the processing is carried out to—(a) identify data subjects and only when this is essential for that purpose; and(b) comply with laws and other measures designed to protect or advance persons, or

categories of persons, disadvantaged by unfair discrimination.

[Exemption] Authorisation concerning data subject’s trade union membership

[28] 30 . (1) The prohibition on processing personal information concerning a data subject’s trade union membership, as referred to in section [25] 26, does not apply to the processing by the trade union to which the data subject belongs or the trade union federation to which that trade union belongs, if such processing is necessary to achieve the aims of the trade union or trade union federation.

(2) In the cases referred to under subsection (1), no personal information may be supplied to third parties without the consent of the data subject.

[Exemption] Authorisation concerning data subject’s political persuasion

[29] 31 . (1) The prohibition on processing personal information concerning a data subject’s political persuasion, as referred to in section [25] 26, does not apply to processing by or for an institution founded on political principles of the personal information of─(a) [their] its members or employees or other persons belonging to the institution, if such

processing is necessary to achieve the aims or principles of the institution[s]; or(b) a data subject if such processing is necessary for the purposes of─55

(i) forming a political party;(ii) participating in the activities of, or engaging in the recruitment of members for or

canvassing supporters or voters for, a political party with the view to─(aa) an election of the National Assembly or the provincial legislature as

regulated in terms of the Electoral Act, 1998 (Act No. 73 of 1998);(bb) municipal elections as regulated in terms of the Local Government:

Municipal Electoral Act, 2000 (Act No. 27 of 2000); or(cc) a referendum as regulated in terms of the Referendums Act, 1983 (Act No.

108 of 1983); or(iii) campaigning for a political party or cause.

(2) In the cases referred to under subsection (1), no personal information may be supplied to third parties without the consent of the data subject.

[Exemption] Authorisation concerning data subject’s health or [sexual] sex life

[30] 32 . (1) The prohibition on processing personal information concerning a data subject’s health or [sexual] sex life, as referred to in section [25] 26, does not apply to the processing by—(a) medical professionals, healthcare institutions or facilities or social services, if such

processing is necessary for the proper treatment and care of the data subject, or for the administration of the institution or professional practice concerned;

(b) insurance companies, medical aid schemes, medical aid scheme administrators and managed healthcare organisations, if such processing is necessary for—

55 Article 8(4) of the EU Directive allows for additional exemptions “for reasons of substantial public interest”. It therefore appears that the proposed amendment is in line with article 8.

26


(i) assessing the risk to be insured by the insurance company or covered by the medical aid scheme and the data subject has not objected to the processing;

(ii) the performance of an insurance or medical aid agreement; or(iii) the enforcement of any contractual rights and obligations;

(c) schools, if such processing is necessary to provide special support for pupils or making special arrangements in connection with their health or [sexual] sex life;

(d) institutions of probation, child protection or guardianship, if such processing is necessary for the performance of their legal duties;

(e) [the Minister and the Minister of Correctional Services] any public body56, if such processing is necessary in connection with the implementation of prison sentences or detention measures; or

(f) administrative bodies, pension funds, employers or institutions working for them, if such processing is necessary for—(i) the implementation of the provisions of laws, pension regulations or collective

agreements which create rights dependent on the health or [sexual] sex life of the data subject; or

(ii) the reintegration of or support for workers or persons entitled to benefit in connection with sickness or work incapacity.(2) In the cases referred to under subsection (1), the information may only be

processed by responsible parties subject to an obligation of confidentiality by virtue of office, employment, profession or legal provision, or established by a written agreement between the responsible party and the data subject.

(3) A responsible party that is permitted to process information concerning a data subject’s health or [sexual] sex life in terms of this section and is not subject to an obligation of confidentiality by virtue of office, profession or legal provision, must treat the information as confidential, unless the responsible party is required by law or in connection with their duties to communicate the information to other parties who are authorised to process such information in accordance with subsection (1).

(4) The prohibition on processing any of the categories of personal information referred to in section [25] 26, does not apply if it is necessary to supplement the processing of personal information concerning a data subject’s health, as referred to under subsection (1)(a), with a view to the proper treatment or care of the data subject.

(5) Personal information concerning inherited characteristics may not be processed in respect of a data subject from whom the information concerned has been obtained, unless—(a) a serious medical interest prevails; or(b) the processing is necessary for [the purpose of scientific research or statistics] historical, statistical or

research activity.(6) More detailed rules may be prescribed concerning the application of

subsection (1)(b) and (f).

Option:57

Authorisation concerning data subject’s sex life32A. (1) The prohibition on processing personal information concerning a

data subject’s sex life, as referred to in section 26, does not apply if the processing is carried out by—(a) organisations providing products or services relating to sex life, or independent

sections of those organisations if the information concerns data subjects belonging to those organisations;

(b) institutions founded on principles based on sex life options or practices with respect to their members or employees or other persons belonging to the institution, if it is necessary to achieve their aims and principles; or

(c) other institutions: Provided that the processing is necessary to protect the sex life options or practices of the data subjects, unless they have indicated that they object to the processing.

56 Amendment proposed in order to ensure that any public body, for example the Department of Health in respect of the observation of accused persons, could be allowed to process the personal information concerned.


27


(2) In the cases referred to in subsections (1) personal information concerning a data subject’s sex life options or practices may not be supplied to third parties without the consent of the data subject.

[Exemption] Authorisation concerning data subject’s criminal behaviour

[31] 33 . (1) The prohibition on processing personal information concerning a data subject’s criminal behaviour, as referred to in section [25] 26, does not apply if the processing is carried out by bodies charged by law with applying criminal law or by responsible parties who have obtained that information in accordance with the law.

(2) The prohibition does not apply to responsible parties who process the information for their own lawful purposes to—(a) assess an application by a data subject in order to take a decision about, or provide a

service to, that data subject; or(b) protect their legitimate interests in relation to criminal offences which have been, or can

reasonably be expected to be, committed against them or against persons in their service.(3) The processing of information concerning personnel in the service of the

responsible party must take place in accordance with the rules established in compliance with labour legislation.

(4) The prohibition on processing any of the categories of [personnel] personal information referred to in section [26] 26 does not apply if such processing is necessary to supplement the processing of information on criminal behaviour permitted by this section.

[General exemption concerning special personal information

32. Without prejudice to sections 26 to 31, the prohibition on processing personal information, as referred to in section 25, does not apply if— (a) processing is carried out with prior parental consent where the data subject is a child and is subject to parental control in

terms of the law;(b) processing is necessary for the establishment, exercise or defence of a right or obligation in law;(c) processing is necessary to comply with an obligation of international public law; (d) the Regulator has granted authority in terms of section 34 for processing in the public interest, and appropriate guarantees

have been put in place in law to protect the data subject’s privacy; or(e) insofar as section 25(b) is concerned if—

(i) processing is carried out with the consent of the data subject; or(ii) the information has deliberately been made public by the data subject.] 58

Part CProcessing of personal information of children

Prohibition on processing personal information of children

34. A responsible party may not process personal information concerning a child.

General authorisation concerning personal information of children

35 . (1) The prohibition on processing personal information of children, as referred to in section 34, does not apply if the processing is— (a) carried out with the prior consent of a competent person;(b) necessary for the establishment, exercise or defence of a right or obligation in law;(c) necessary to comply with an obligation of international public law; or (d) for historical, statistical or research purposes to the extent that─

(i) the purpose serves a public interest and the processing is necessary for the purpose concerned; or

(ii) it appears to be impossible or would involve a disproportionate effort to ask for express consent,

58 The clause has, at the request of the Technical Committee, been inserted at the beginning of Part B of Chapter 3. See clause 28.

28


and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the child to a disproportionate extent.

(2) The Regulator may, notwithstanding the prohibition referred to in section 34 , but subject to subsection (3), upon application by a responsible party and by notice in the Gazette , authorise a responsible party to process the personal information of children if the processing is in the public interest and appropriate safeguards have been put in place to protect the personal information of the child.

(3) The Regulator may impose reasonable conditions in respect of any authorisation granted under subsection (2), including conditions with regard to how a responsible party must─(a) upon request of a competent person provide a reasonable means for that person to─

(i) review the personal information processed; and(ii) refuse to permit its further processing;

(b) provide notice─(i) regarding the nature of the personal information of children that is processed;(ii) how such information is processed; and(iii) regarding any further processing practices;

(c) refrain from any action that is intended to encourage or persuade a child to disclose more personal information about him- or herself than is reasonably necessary given the purpose for which it is intended; and

(d) establish and maintain reasonable procedures to protect the integrity and confidentiality of the personal information collected from children.

CHAPTER 4EXEMPTION FROM CONDITIONS FOR PROCESSING OF PERSONAL

INFORMATION [INFORMATION PROTECTION PRINCIPLES]

General

[33.] 36. Processing of personal information is not in breach of [an information protection

principle] a condition for the processing of such information if the [processing is authorised by the] Regulator grants an exemption in terms of section [34] 37.

Regulator may [authorise] exempt processing of personal information

[34.] 37. (1) The Regulator may [authorise], by notice in the Gazette , grant an exemption to a responsible party to process personal information, even if that processing is in breach of [an information protection principle] a condition for the processing of such information if the Regulator is satisfied that, in the circumstances of the case—(a) the public interest in the processing outweighs, to a substantial degree, any interference

with the privacy of the data subject that could result from such processing; or(b) the processing involves a clear benefit to the data subject or a third party that outweighs,

to a substantial degree, any interference with the privacy of the data subject or third party that could result from such processing.

(2) The public interest referred to in subsection (1) includes—(a) the [legitimate] interests of [State] national security;(b) the prevention, detection and prosecution of offences;(c) important economic and financial interests of [the State or] a public body;(d) fostering compliance with legal provisions established in the interests referred to under

paragraphs (b) and (c); or(e) historical, statistical or research activity.

(3) The Regulator may impose reasonable conditions in respect of any [authorisation] exemption granted under subsection (1).

CHAPTER 5SUPERVISION

29


Part AInformation [Protection] Regulator

Establishment of Information [Protection] Regulator

[35.] 38. There is hereby established a juristic person to be known as the Information [Protection] Regulator, which—(a) has jurisdiction throughout the Republic;(b) is independent and is subject only to the Constitution and to the law and must be impartial

and perform its functions and exercise its powers without fear, favour or prejudice; [and](c) must perform its functions and exercise its powers in accordance with this Act and the

Promotion of Access to Information Act; and(d) is accountable to the National Assembly.

Powers, [and] duties and functions of Regulator59

[43] 39.(1) The [powers and duties] powers, duties and functions of the Regulator in terms of this Act are—(a) [by means of education] to provide education by — [(a)] (i) [to promote, by education and publicity,] promoting an understanding and acceptance of the

[information protection principles] conditions for the lawful processing of personal information and of the objects of those [principles] conditions;

[(b)] (ii) [undertake] undertaking educational programmes, for the purpose of promoting the protection of personal information, [to undertake educational programmes] on the Regulator's own behalf or in co-operation with other persons or authorities acting on behalf of the Regulator; [and]

[(c)] (iii) [to make] making public statements in relation to any matter affecting the protection of the personal information of a data subject or of any class of data subjects;(iv) [to give] giving advice to data subjects in the exercise of their rights; 60and(v) providing advice, with or without a request, to a Minister or a public or private body on their obligations under the provisions, and generally on any matter relevant to the operation, of this Act;61

(b) to monitor and enforce compliance by— [(d)] (i) [to monitor and enforce compliance by] public and private bodies of the provisions of this Act;[(e)] (ii) undertaking [to undertake] research into, and [to monitor] monitoring developments in,

information processing and computer technology to ensure that any adverse effects of such developments on the protection of the personal information of data subjects are minimised, and [to report] reporting to the Minister the results of such research and monitoring;

[(f)] (iii) examining [to examine] any proposed legislation, including subordinate legislation, or proposed policy of the Government that the Regulator considers may affect the protection of the personal information of data subjects, and [to report] reporting to the Minister the results of that examination;

[(g)] (iv) reporting [to report,] with or without request, to Parliament from time to time on any policy62 matter affecting the protection of the personal information of a data subject, including the need for, or desirability of, taking legislative, administrative, or other action to give protection or better protection to the personal information of a data subject;(v) submitting a report to Parliament, within five months of the end of its financial year, on all its activities in terms of this Act during that financial year; 63

[(h)] (vi) conducting an assessment, on its own initiative or when requested to do so [by] , of a public or private body, [to conduct an audit] in respect of the processing of personal

59 Technical Committee requested on 7/11/11 that clause 43 (as introduced) be inserted after clause 38.60 Proposal by IT Governance.61 Paragraph copied from subclause (1)(c)(iv). 62 Technical Committee requested that clause 46(1) be inserted in clause 39.63 Clause 46(2) inserted under clause 43.

30


information [maintained] by that body for the purpose of ascertaining whether or not the information is [maintained] processed according to the [information protection principles] conditions for the lawful processing of personal information;

[(i)] (vii) monitoring [to monitor] the use of unique identifiers of data subjects, and [to report] reporting to Parliament from time to time on the results of that monitoring, including any recommendation relating to the need of, or desirability of taking, legislative, administrative, or other action to give protection, or better protection, to the personal information of a data subject;

[(j)] (viii) maintaining, publishing and making available and providing [to maintain, and to publish, make available and provide] copies of such registers as are prescribed in this Act; and

[(k)] (ix) examining [to examine] any proposed legislation that makes provision for the—[(i)](aa) collection of personal information by any public or private body; or[(ii)](bb) disclosure of personal information by one public or private body to any other public

or private body, or both, to have particular regard, in the course of that examination, to the matters set out in [section 44(3) of this Act] subsection (3), in any case where the Regulator considers that the information might be used for the purposes of an information matching programme,

and [to report] reporting to the Minister and Parliament the results of that examination;(c) [by means of consultation] to consult with interested parties by — [(l)] (i) [to receive and invite] receiving and inviting representations from members of the public

on any matter affecting the personal information of a data subject;[(m)] (ii) [to] consult and co-operate] co-operating on a national and international basis with other

persons and bodies concerned with the protection of personal information [principles]; and[(n)] (iii) [to] act] acting as mediator between opposing parties on any matter that concerns

the need for, or the desirability of, action by a responsible party in the interests of the protection of the personal information of a data subject; [and]

[(o)] (iv) [to] provide advice, with or without a request, to a Minister or a public or private body on their obligations under the provisions, and generally on any matter relevant to the operation, of this Act;]

(d) to handle complaints by— [(p)] (i) receiving and investigating [to receive and investigate] complaints about alleged violations

of the protection of personal information of data subjects and [in respect thereof make reports] reporting to complainants in respect of such complaints;

[(q)] (ii) gathering [to gather] such information as in the Regulator's opinion will assist the Regulator in discharging the duties and carrying out the Regulator's functions under this Act;

[(r)] (iii) attempting [to attempt] to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation; and

[(s)] (iv) serving [to serve] any notices in terms of this Act and further [promote] promoting the resolution of disputes in accordance with the prescripts of this Act;

(e) to conduct research and to report to Parliament— [(t)] (i) [to report to Parliament] from time to time on the desirability of the acceptance, by South

Africa, of any international instrument relating to the protection of the personal information of a data subject; and

[(u)] (ii) [to report to Parliament] on any other matter, including necessary legislative amendments, relating to protection of personal information that, in the Regulator's opinion, should be drawn to Parliament’s attention;

(f) in respect of codes of conduct to— [(v)] (i) [to] issue, from time to time, codes of conduct, [amendment of] amend codes and

[revocation of] to revoke codes of conduct;[(w)] (ii) [to] make guidelines to assist bodies to develop codes of conduct or to apply codes

of conduct; and[(x)] (iii) [to review an adjudicator’s decision] consider afresh, upon application, determinations by

adjudicators under approved codes of conduct; and(g) [by facilitating] to facilitate cross-border cooperation in the enforcement of privacy laws by

participating in any initiative that is aimed at such cooperation;[(g)] (h) in general to—

31


[(y)] (i) [to] do anything incidental or conducive to the performance of any of the preceding functions;

[(z)] (ii) [to] exercise and perform such other functions, powers, and duties as are conferred or imposed on the Regulator by or under this Act or any other [enactment] legislation;

[(aa)] (iii) [to] require the responsible party to disclose to any person affected by a compromise to the [confidentiality or] integrity or confidentiality of personal information, [this fact] such compromise in accordance with section [21 of this Act] 22; and

[(bb)] (iv) [to] exercise the powers conferred upon the Regulator by this Act in matters relating to the access of information as provided by the Promotion of Access to Information Act.

(2) The Regulator may, from time to time, in the public interest or in the legitimate interests of any person or body of persons, publish reports relating generally to the exercise of the Regulator’s functions under this Act or to any case or cases investigated by the Regulator, whether or not the matters to be dealt with in any such report have been the subject of a report to the Minister.

(3) In performing its functions in terms of subsection (1) (b) (ix) (bb) with regard to information matching programmes, the Regulator must have particular regard to whether or not the—(a) objective of the programme relates to a matter of significant public importance;(b) use of the programme to achieve that objective will result in monetary savings that are

both significant and quantifiable or in other comparable benefits to society;(c) use of an alternative means of achieving that objective would give either of the results

referred to in paragraph (b) ; (d) public interest in allowing the programme to proceed outweighs the public interest in

adhering to the information protection principles that the programme would otherwise contravene; and

(e) programme involves information matching on a scale that is excessive, having regard to—(i) the number of responsible parties or operators that will be involved in the

programme; and(ii) the amount of detail about a data subject that will be matched under the

programme. 64 (4) The provisions of sections 3 and 4 of the Commission’s Act, 1947 (Act No.

8 of 1947), will apply, with the necessary changes, to the Regulator.[(3)](5) The powers and duties of the Regulator in terms of the Promotion of

Access to Information Act are set out in Parts 4 and 5 of that Act.

[Constitution and period of office of Regulator] Appointment, period of and removal from office of members of Regulator

[36.] 40. (1) (a) The Regulator consists of the following members:(i) A Chairperson; and(ii) four other persons, as ordinary members of the Regulator.

(b) Members of the Regulator must be appropriately qualified, fit and proper persons [for appointment]—(i) at least one of whom must be appointed on account of experience as a [practicing] practising

advocate or attorney or a professor of law at a university[, or] ; and(ii) the remainder of whom must be appointed on account of any other qualifications,

expertise and experience65 relating to the objects of the Regulator.(c) The Chairperson of the Regulator must [perform his or her functions under the

Act and the Promotion of Access to Information Act]66 be appointed in a full-time capacity and [must not be employed in any other capacity] may, subject to subsection (4), not perform or undertake to perform any other remunerative work during the period in which he or she holds office as Chairperson.

(d) [The other members of the Regulator must be appointed in a part-time capacity.] The ordinary members of the Regulator must be appointed as follows:

64 Subclause (3) formed part of clause 44(3) of the introduced version of the Bill.65 Wording based on section 5(3)(b)(ii) of ICASA Act.66 See clause 42(1)(a) in connection with functions of Chairperson.

32


(i) Two ordinary members in full-time capacity; and(ii) two ordinary members in a full-time or part-time capacity.

(e) The members referred to in paragraph (d) who are appointed in a full-time capacity, may, subject to subsection (4), not perform or undertake to perform any other remunerative work during the period in which they hold office.

[(e)] (f) The Chairperson must direct the work of the Regulator and the [Secretariat] staff of the Regulator.67

[(f)] (g) [No person will be qualified for appointment as a member of the Regulator if that person] A person may not be appointed as a member of the Regulator if he or she 68—[(i) is a member of a legislature;(ii) is a councilor of a local authority;](i) is not a citizen of the Republic;(ii) is a public servant [or the holder of any other remunerated position under a public body;] 69

(iii) is a member of Parliament, any provincial legislature or any municipal council;(iv) is an office-bearer or employee of any political party;[(iii)](v) is an unrehabilitated insolvent; [or](vi) has been declared by a court to be mentally ill or unfit; or[(iv)](vii) has at any time been convicted, whether in the Republic or elsewhere, of any offence

involving dishonesty.(2) (a) [Members of the Regulator referred to in subsection (1)(a) must be appointed by the President

and must be persons approved by Parliament, after considering proposals made by interested parties in terms of subsection (4)].The Chairperson and the members of the Regulator referred to in

subsection (1) (a) must be appointed by the President on the recommendation of the National Assembly.

(b) The National Assembly must recommend persons—(i) nominated by a committee of the Assembly composed of members of parties represented

in the Assembly; and(ii) approved by the Assembly by a resolution adopted with a supporting vote of a majority of

the members of the Assembly. [(3) The President may appoint one or more additional members if he or she considers it necessary for the

investigation of any particular matter or the performance of any duty by the Regulator.(4) Before the members of the Regulator are appointed the Minister must invite interested parties through

the media and by notice in the Gazette to propose candidates within 30 days of the publication of such notice, for consideration as contemplated in subsection (2)]70.

[(5)](3) The members of the Regulator will be appointed for a period of not more than five years and will, at the expiration of such period, be eligible for reappointment.

(4) The Chairperson of the Regulator or a member who has been appointed in a full-time capacity may, notwithstanding the provisions of subsection (1) (c) or (e) , only perform or undertake to perform any other remunerative work during the period that he or she holds office as Chairperson or member with the prior written consent of the Minister.

[(6)](5) A person appointed as a member of the Regulator may, upon written notice to the President, resign from office [by writing under his or her hand addressed to the President and will in any case vacate office on attaining the age of 70 years].

[(7)](6) (a)71 A member may be removed from office only on— [by the President on the request of Parliament only for inability to discharge the functions of the office, whether arising from infirmity of body or mind or any other cause, or for misbehaviour](i) the ground of misconduct, incapacity or incompetence;(ii) a finding to that effect by a committee of the National Assembly; and(iii) the adoption by the National Assembly of a resolution calling for that person’s removal

from office.(b) A resolution of the National Assembly concerning the removal from

office of a member of the Regulator must be adopted with a supporting vote of a majority of the members of the Assembly.

67 The term “Secretariat” is not appropriate in view of request by Technical Committee to provide for a Chief Executive Officer. 68 Wording of proposed additional provisions have been taken from section 6 of the ICASA Act.69 Disqualification of public servant for appointment as member: Pending final decision by Portfolio Committee.70 Subclauses (3) and (4) do not serve any useful purpose in view of the proposed amendment of subclause (2).71 Proposed amendment of subclause (7) is based on provisions of section 194 of the Constitution dealing with removal from office of a

member of a Chapter 9 institution.

33


(c) The President—(i) may suspend a member from office at any time after the start of the proceedings of a

committee of the National Assembly for the removal of that member; and(ii) must remove a member from office upon adoption by the Assembly of the resolution

calling for that member’s removal.

Vacancies

41 . (1) A vacancy in the Regulator occurs if a member—(a) becomes subject to a disqualification referred to in section 40(1) (g) ; (b) tenders his or her resignation as contemplated in section 40(5) and the resignation takes

effect;(c) is removed from office in terms of section 40(6);(d) dies; or(e) becomes permanently incapable of doing his or her work.

(2) (a) Where a vacancy has arisen as contemplated in subsection (1), the procedure contemplated in section 40(2) applies.

(b) Any member appointed under this subsection holds office for the rest of the period of the predecessor's term of office, unless the President, upon recommendation by the National Assembly, appoints that member for a longer period which may not exceed five years.

Powers, duties and functions of Chairperson and other members

42. (1) The Chairperson─(a) must exercise the powers and perform the duties and functions conferred on or assigned

to him or her by the Regulator in terms of this Act and the Promotion of Access to Information Act; and

(b) is, for the purposes of exercising the powers and performing the duties and functions conferred on or assigned to him or her by the Regulator in terms of this Act and the Promotion of Access to Information Act, accountable to the Regulator.

(2) (a) The members referred to in section 40(1) (d) (i) must exercise their powers and perform their duties and functions as follows:(i) One member in terms of this Act; and(ii) one member in terms of the Promotion of Access to Information Act .

(b) The members referred to in section 40(1) (d) (ii) must exercise their powers and perform their duties and functions either in terms of this Act or the Promotion of Access to Information Act, or both.

(c) The members, referred to in paragraphs (a) and (b) , are, for the purposes of exercising their powers and performing their duties and functions, accountable to the Chairperson.

Regulator to have regard to certain matters

[44] 43.[(1) The Regulator is independent in the performance of its functions as set out in section 35(b).

(2)] In the performance of its functions, and the exercise of its powers, under this Act the Regulator must—(a) have due regard to the [protection of personal information as set out in the information protection principles]

conditions for the lawful processing of personal information as referred to in Chapter 3 ;(b) have due regard for the protection of all human rights and social interests that compete

with privacy, including the general desirability of a free flow of information and the recognition of the legitimate interests of [government and business] public and private bodies in achieving their objectives in an efficient way;

(c) take account of international obligations accepted by South Africa[, including those concerning the international technology of communications]; and

(d) consider any developing general international guidelines relevant to the better protection of individual privacy.

34


(3)72 In performing its functions in terms of section 43(1)(k) with regard to information matching programmes, the Regulator must have particular regard to whether or not the—(a) objective of the programme relates to a matter of significant public importance;(b) use of the programme to achieve that objective will result in monetary savings that are both significant and quantifiable or in

other comparable benefits to society;(c) use of an alternative means of achieving that objective would give either of the results referred to in paragraph (b);(d) public interest in allowing the programme to proceed outweighs the public interest in adhering to the information protection

principles that the programme would otherwise contravene; and(e) programme involves information matching on a scale that is excessive, having regard to—

(i) the number of responsible parties or operators that will be involved in the programme; and(ii) the amount of detail about a data subject that will be matched under the programme.]

Conflict of interest

44. (1) If any member of the Regulator or any person appointed by the Regulator in terms of this Act has a material interest in any matter which could conflict with the proper performance of his or her duties in terms of this Act or the Promotion of Access to Information Act, he or she must disclose that interest, as prescribed, as soon as practicable after the relevant facts came to his or her knowledge.

(2) (a) If a member of the Regulator or person referred to in subsection (1)─(i) is present at a meeting of the Regulator or committee referred to in section 48 or 49 at

which a matter contemplated in that subsection is to be considered, the member or person concerned must disclose the nature of his or her interest to the meeting before the matter is considered; or

(ii) fails to make a disclosure as required by this subsection and is present at a meeting of the Regulator or committee, as the case may be, or in any other manner participates in the proceedings, such proceedings in relation to the relevant matter must, as soon as the non-disclosure is discovered, be reviewed and be varied or set aside by the Regulator or the committee, as the case may be, without the participation of the member or person concerned.

(b) A member of the Regulator or person referred to in subsection (1) who is obliged to make a disclosure in terms of this subsection may not be present during any deliberation, or take part in any decision, in relation to the matter in question.

(c) Any disclosure made in terms of this subsection must be noted in the minutes of the relevant meeting of the Regulator or committee.

(3) A member of the Regulator or person referred to in subsection (1) who has disclosed a conflict of interest in terms of subsection (1)─(a) may perform all duties relating to the matter in question if a decision has been taken that

the interest is trivial or irrelevant; or(b) must be relieved of all duties relating to the matter in question and such duties must be

performed by another member of the Regulator or by another person referred to in subsection (1), as the case may be, who has no such conflict of interest.

Remuneration, allowances, benefits and privileges of members

[37] 45. (1) A member of the Regulator or a person referred to in section 48(1) (b) or 49(1) (b) who is not subject to the provisions of the Public Service Act, 1994 (Proclamation No. 103 of 1994)73, or who is not a judge of the High Court of South Africa or a magistrate will be entitled to such remuneration, allowances, including allowances for reimbursement of travelling and subsistence expenses incurred by him or her in the performance of his or her functions under this Act and the Promotion of Access to Information Act, benefits and privileges as [the Minister in consultation with the Minister of Finance may determine] Parliament may determine.

(2) The remuneration, allowances, benefits or privileges of different members of the Regulator may differ according to the different—(a) [offices] positions held by them in the Regulator; or

72 Subclause (3) has been moved to clause 39(3).73 See clause 40(1)(g)(ii), decision regarding disqualification of public servants for appointment as members of Regulator still

pending.

35


(b) functions performed, whether in a part-time or full-time capacity, by them from time to time.

(3) In the application of subsections (1) and (2), the President or the Minister, as the case may be, may determine that any remuneration, allowance, benefit or privilege contemplated in those subsections will be the remuneration, allowance, benefit or privilege determined from time to time by or under any law in respect of any person or category of persons.74

[Secretary and staff] Staff

[38] 46. (1) [The Secretary of the Regulator and such other officers and employees as are required for the proper

performance of the Regulator's functions, will be appointed in terms of the Public Service Act, 1994 (Proclamation No. 103 of 1994).] The Regulator must establish its own administration to assist it in the performance of its functions and to this end the Regulator must appoint—75

(a) a suitably qualified and experienced person, or secure the secondment of such person in terms of subsection (6), as chief executive officer of the Regulator for the purpose of assisting the Regulator, subject to the Regulator's direction and supervision, in the performance of all financial and administrative functions in terms of this Act and the Promotion of Access to Information Act, work arising from the administration of this Act and the Promotion of Access to Information Act and to exercise any power delegated by the Regulator to him or her; and

(b) such other member of staff, or secure the secondment of such persons in terms of subsection (6), as the Regulator may deem necessary to assist the Regulator and the chief executive officer, as the case may be, with all such work as may arise through the performance of its functions.

(2)76 (a) The chief executive officer may appoint a senior member of staff as acting chief executive officer to perform the functions of the chief executive officer in his or her absence.

(b) A member of the Regulator may not be appointed as acting chief executive officer.

(c) In the event that the chief executive officer is absent for a longer period the Regulator must appoint an acting chief executive officer.

(3) The Regulator must, in the appointment of the staff of the Regulator—(a) provide for the advancement of persons disadvantaged by unfair discrimination, with the

aim that its staff, when viewed collectively, represents a broad cross-section of the population of the Republic; and

(b) subject to paragraph (a) , apply equal opportunity employment practices. (4) The Regulator may pay to the persons in its employ such remuneration and

allowances and provide them with such pension and other employment benefits as are consistent with that paid in the public sector.77

(5) In exercising its powers in terms of subsections (1) and (4), the Regulator must consult with the Minister of Finance.

(6) The Regulator may, in the performance of the functions contemplated in subsection (1), at its request, be assisted by officials in the Public Service seconded to the service of the Regulator in terms of any law regulating such secondment.

Option:78

(6A) The Regulator may─(a) within one year after the members referred to in section 40(1) (a) have been

appointed; and(b) for purposes of securing such assistance as may be necessary to enable it to

establish its own administration,request to be assisted by officials in the Public Service seconded to the service of the Regulator in terms of any law regulating such secondment.

74 In view thereof that Parliament will determine remuneration it is recommended that subclause (3) should be deleted.75 Clause represents the proposal that a clearer distinction should be drawn between the functions of the Chairperson and the

chief executive officer. 76 Subclause (2) could be replaced with clause 46 in order to clarify what the functions of the chief executive officer are.77 It has recently been proposed that “public sector” remuneration should be deleted in order to secure the services of specialists.78 Option proposed by Ms Smuts.

36


[(2)](7) The Regulator may, [with the approval of the Minister]79 in consultation with the

Minister of Finance, on a temporary basis or for a particular matter which is being investigated by it, employ any person with special knowledge of any matter relating to the work of the Regulator, or obtain the co-operation of any body, to advise or assist the Regulator in the performance of its functions under this Act and the Promotion of Access to Information Act, and fix the remuneration, including reimbursement for travelling, subsistence and other expenses, of such person or body.

Powers, duties and functions of Chief Executive Officer

47. The chief executive officer─(a) is the head of administration and the accounting officer, as referred to in section 52(3), of

the Regulator;(b) may appoint a senior member of staff, other than a member of the Regulator, as acting

chief executive officer to perform the functions of the chief executive officer in his or her absence;

(c) is responsible for the─(i) management of the affairs and operations of the Regulator;(ii) formation and development of an efficient administration;(iii) organisation and management of, and administrative control over, all the members

of staff appointed in terms of section 46(1) (b) , all the persons seconded in terms of section 46(6);

(iv) maintenance of discipline in respect of the members of staff; and(v) execution of the decisions of the Regulator,and is for those purposes accountable to the Regulator and must report thereon to the Regulator as often as may be required by the Regulator; and

(d) must exercise the powers and perform the duties and functions which the Regulator may from time to time confer upon or assign to him or her in order to achieve the objects of the Regulator, and is for those purposes accountable to the Regulator.

Committees of Regulator

[39] 48.(1) The Regulator may, if it considers it necessary for the proper performance of its functions establish one or more committees, which must consist of— [(a) a working committee, which must consist of such members of the Regulator as the Regulator may designate;(b) such other committees as it may deem necessary, and which must consist of—

(i)](a) such members of the Regulator as the Regulator may designate; or[(ii)](b) such members of the Regulator as the Regulator may designate and other persons

appointed by the [Minister] Regulator, as referred to in section 46(7), for the period determined by the [Minister] Regulator.(2) The [Minister] Regulator may at any time extend the period of an appointment

referred to in subsection (1)(b)[(ii)] or, if in [his or her] its opinion good reasons exist therefor, revoke any such appointment.

(3) The Regulator must designate the chairperson and, if the Regulator deems it necessary, the vice-chairperson of a committee established under subsection (1).

(4) (a) A committee referred to in subsection (1) must, subject to the directions of the Regulator, perform those functions of the Regulator assigned to it by the Regulator.

(b) Any function so performed by [the working] a committee referred to in subsection (1)[(a) and (b) ] will be deemed to have been performed by the Regulator.

(5) The Regulator may at any time dissolve any committee established by the Regulator.

(6) The provisions of sections [40 and 45(4)] 39(4)80 and 51 will apply, with the necessary changes, to a committee of the Regulator.

79 Proposed amendment as a result of provisions of clause 46(1)(b).80 Refer to footnote 87 (clause 45 as introcuced).

37


Establishment of Enforcement Committee

49. (1) The Regulator must establish an Enforcement Committee which must consist of— (a) at least one member of the Regulator; and(b) such other persons appointed by the Regulator, as referred to in section 46(7), for the

period determined by the Regulator.(2) The Regulator must ─

(a) in consultation with the Chief Justice and Minister, appoint a — (i) judge of the High Court of South Africa, whether in active service or not; or (ii) magistrate with at least 10 years’ appropriate experience, whether in active service

or not; or(b) appoint an advocate or attorney with at least 10 years’ appropriate experience,as Chairperson of the Enforcement Committee.

(3) The Chairperson of the Enforcement Committee must manage the work of and preside at hearings of the Enforcement Committee.

(4) (a) A member referred to in subsection (1) (a) may not participate in any proceedings of the Regulator in terms of which a decision is taken with regard to a recommendation by the Enforcement Committee as referred to in section 50.

(b) A person referred to in subsection (1) (b) must be a fit and proper person and must comply with the criteria, referred to in section 40(1) (g) , for appointment as a member of the Regulator.

Functions of Enforcement Committee 81

50. The Enforcement Committee─(a) must consider all matters referred to it by the Regulator in terms of section 96A or the

Promotion of Access to Information Act and make a finding in respect thereof; and( b ) may make any recommendation to the Regulator necessary or incidental to any action

that should be taken against—(i) a responsible party in terms of this Act; or(ii) an information officer or head of a private body, as the case may be, in terms of

the Promotion of Access to Information Act.

Meetings of Regulator

[40] 51. (1) Meetings of the Regulator must be held at the times and places determined by the Chairperson of the Regulator.

(2) The majority of the members of the Regulator will constitute a quorum for a meeting.

(3) The [Regulator] Chairperson may regulate the proceedings at meetings as [it] he or she may think fit and must keep minutes of the proceedings.82

(4) (a) Subject to subsection (2), a decision of the Regulator is taken by resolution agreed to by the majority of members at any meeting of the Regulator.

(b) In the event of an equality of votes regarding any matter the Chairperson has a casting vote in addition to his or her deliberative vote.

Funds

81 Clause 50 will have to be included in Chapter 10 if those provisions dealing with Enforcement Committee reflected in that Chapter are approved by the Portfolio Committee.

82 It is recommended that provision should be made for the absence of the Chairperson at a meeting as follows:“If the Chairperson is absent from a meeting the members present shall elect one of their number to preside at that meeting”.

38


[41] 52. (1) [Parliament must appropriate annually, for the use of the Regulator, such sums of money as may be necessary for the proper exercise, performance and discharge, by the Regulator, of its powers, duties and functions under this Act and the Promotion of Access to Information Act.] Funds of the Regulator consist of─ (a) such sums of money that Parliament appropriates annually, for the use of the Regulator

as may be necessary for the proper exercise, performance and discharge, by the Regulator, of its powers, duties and functions under this Act and the Promotion of Access to Information Act; and

(b) fees as may be prescribed in terms of section 113(1) (a) and (b) (ii). 83

Option:84

Paragraph (b) to be deleted.

(2) The financial year of the Regulator is the period from 1 April in any year to 31 March in the following year, except that the first financial year of the Regulator begins on the date that this [Act] Chapter comes into operation, and ends on 31 March next following that date.

(3) The [Chairperson of the Regulator is the accounting authority] chief executive officer of the Regulator is for purposes of the Public Finance Management Act, 1999 (Act No. 1 of 1999), the accounting officer and must execute his or her duties in accordance with that Act.

(4) Within six months after the end of each financial year, the Regulator must prepare financial statements in accordance with established accounting practice, principles and procedures, comprising—(a) a statement reflecting, with suitable and sufficient particulars, the income and expenditure

of the Regulator during the preceding financial year; and(b) a balance sheet showing the state of its assets, liabilities and financial position as at the

end of that financial year.(5) The Auditor-General must audit the Regulator’s financial records each year.

Protection of Regulator

[42] 53.[A] Any person acting on behalf or under the direction of the Regulator, is not civilly or criminally liable for anything done in good faith in the exercise or performance or purported exercise or performance of any power, duty or function of the Regulator in terms of this Act or the Promotion of Access to Information Act.

Option:85

To delete clause 53.

[Programmes of Regulator

45. (1) In order to achieve its objects in terms of this Act the Regulator must from time to time draw up programmes in which the various matters which in its opinion require consideration are included in order of preference, and must table such programmes in Parliament for information.

(2) The Regulator may include in any programme any suggestion relating to its objects received from any person or body.

(3)86 The Regulator may consult any person or body, whether by the submission of study documents prepared by the Regulator or in any other manner.

(4) The provisions of sections 2, 3, 4, 5 and 6 of the Commission’s Act, 1947 (Act No. 8 of 1947), will apply, with the necessary changes, to the Regulator]87.

[Reports of Regulator

83 Dr Oriani-Ambrosini expressed his concern with regard to providing the Regulator with the power to collect fees.84 Option proposed by Dr Oriani-Ambrosini.85 Option proposed by Dr Oriani-Ambrosini.86 Technical Committee requested on 8/4/10 that clause 45(3) be inserted in clause 39. Since clause 39(1)(c) is broad enough to cover

the provisions of subclause (3) that subclause was deleted.87 The Technical Committee requested that clause 45(4) be inserted in clause 83. In a previous working draft of the Bill it was pointed

out that “… the powers referred to in sections 2 to 6 of the Commissions Act, 1947, are already provided for in clause 79.” and that “… clause 45(4) be deleted. However, after having reconsidered the provisions concerned it is recommended that an amended clause 45(4) be inserted in clause 39(4) insofar as it refers to sections 3 and 4 of the Commissions Act and that section 6 of the Commissions Act be inserted in the sanctions clause – clause 103A.

39


46. (1)88 The Regulator must prepare a full report in regard to any matter investigated by it in terms of this Act and must submit such report to Parliament for information.

(2) The Regulator must within five months of the end of a financial year of the Department of Justice and Constitutional Development submit to the Minister a report on all its activities in terms of this Act during that financial year.

(3) The report referred to in subsection (2) must be tabled in Parliament within 14 days after it was submitted to the Minister, if Parliament is then in session, or, if Parliament is not in session, within 14 days after the commencement of its next ensuing session].

Duty of confidentiality

[47] 54.A person acting on behalf or under the direction of the Regulator, must, both during or after his or her term of office or employment , treat as confidential the personal information which comes to his or her knowledge in the course of the performance of his or her official duties, except if the communication of such information is required by law or in the proper performance of his or her duties.

Part B

Information [Protection] Officer

Duties and responsibilities of Information [Protection] Officer89

[48] 55.(1) An information [protection] officer’s responsibilities include—(a) the encouragement of compliance, by the body, with the [information protection principles]

conditions for the lawful processing of personal information;(b) dealing with requests made to the body pursuant to this Act;(c) working with the Regulator in relation to investigations conducted pursuant to Chapter 6 in

relation to the body; [and](d) otherwise ensuring compliance by the body with the provisions of this Act; and(e) as may be prescribed.

(2) Officers must take up their duties in terms of this Act only after the responsible party has registered them with the Regulator.

Designation and delegation of deputy information [protection] officers

[49] 56.Each public and private body must make provision, in the manner prescribed in section 17 of the Promotion of Access to Information Act, with the necessary changes, for the designation of—(a) such a number of persons, if any, as deputy information [protection] officers as is necessary

to perform the duties and responsibilities as set out in section [48(1)] 55(1) of this Act; and(b) any power or duty conferred or imposed on an information [protection] officer by this Act to a

deputy information [protection] officer of that public or private body.

CHAPTER 6NOTIFICATION AND PRIOR [INVESTIGATION] AUTHORISATION

Part ANotification

Notification of processing

[50] 57.(1) A responsible party {{Option: Dr Oriani-Ambrosini: in respect of which a code of conduct applies}} must, subject to section 59 , notify the Regulator before commencing the—

88 Subclause (1) has been inserted in clause 39(1)(b)(iv).89 The Technical Committee received an input in terms of which it is recommended that the duties of the information officers

be further explained in terms of clause 54. It is, however, recommended that it may be more appropriate to provide for regulations to be issued in order to provide more detail with regard to the duties and responsibilities of the information officers.

40


(a) fully or partly automated processing of personal information or categories of personal information intended to serve a single purpose or different related purposes; [and] or

(b) non-automated processing of personal information intended to serve a single purpose or different related purposes[, must be notified if this] if such processing is subject to a prior investigation as referred to in section 62.

(2) The notification referred to in subsection (1) must be noted in a register kept by the Regulator for this purpose.

Notification to contain specific particulars

[51] 58.(1) The notification must contain the following particulars:(a) The name and address of the responsible party;(b) the purpose of the processing;(c) a description of the categories of data subjects and of the information or categories of

information relating thereto;(d) the recipients or categories of recipients to whom the personal information may be

supplied;(e) planned transborder flows of personal information; and(f) a general description allowing a preliminary assessment of the suitability of the information

security measures to be implemented by the responsible party to ensure the confidentiality, integrity and availability of the information which is to be processed.

(2) Subject to subsection (3) a responsible party will only have to give notice once, and not each time personal information is received or processed.

(3) Changes in the name or address of the responsible party must be notified within one week and changes to the notification which concern subsection (1)(b) to (f) must be notified in each case within one year of the previous notification, if they are of more than incidental importance.

(4) Any processing which departs from that which has been notified in accordance with the provisions of subsection (1)(b) to (f) must be recorded and kept for at least three years.

(5) More detailed rules may be prescribed concerning the procedure for submitting notifications.

Exemptions to notification requirements

[52] 59.(1) The Regulator may by notice exempt certain categories of information processing which are unlikely to infringe the legitimate interests of a data subject from the notification requirement referred to in section [50] 57.

(2) If processing of personal information is necessary in order to detect offences in a particular case, it may be prescribed that certain categories of processing by responsible parties who are vested with investigating powers by law, are exempt from notification.

(3) The notification requirement does not apply to public registers set up by law or to information supplied to a public body pursuant to a legal obligation.

(4) Any exemption granted to a responsible party from the provisions set out in section 14 or 51 of the Promotion of Access to Information Act will also apply as an exemption of the notification requirements set out in terms of this Act.

Register of information processing

[53] 60.(1) The Regulator must maintain an up-to-date register of the information processing notified to it, which register must contain, as a minimum, the information provided in accordance with section [51(1)] 58(1).

(2) The register may be consulted by any person free of charge.(3) The responsible party must provide any person who requests information

referred to in section [50(1)] 58(1) with the information so requested.(4) The provisions of subsection (3) do not apply to—

41


(a) information processing which is covered by an exemption which has been granted in terms of section 37 [under Chapter 4] ; and

(b) public registers set up by law.

Failure to notify

[54] 61.(1) If section [50(1)] 57(1) is contravened, the responsible party is guilty of an offence and liable to a penalty as set out in section [99] 110.

(2) Any responsible party who fails to comply with the duty imposed by notification regulations made by virtue of sections [102] 58(5) and 114(2) (e) is guilty of an offence and liable to a penalty as set out in section [99] 110.90

Option:(2) Regulations made in terms of sections 85(5) and 114(2) (e) may, in

respect of any contravention thereof or failure to comply therewith, prescribe as a penalty a fine or imprisonment for a period not exceeding 12 months.

Option:91

61. (1) If section [50(1)] 57(1) is contravened, and the responsible party has failed to comply with an enforcement notice in terms of section 98, the responsible party is guilty of an offence and liable to a penalty as set out in section [99] 110.

(2) Any responsible party who fails to comply with the duty imposed by notification regulations made by virtue of sections [102] 58(5) and 114(2) (e) and has failed to comply within an enforcement notice in terms of section 98 is guilty of an offence and liable to a penalty as set out in section [99] 110.

Part BPrior [investigation] authorisation

Processing subject to prior [investigation] authorisation

[55] 62.(1) The [Regulator must initiate an investigation] responsible party must obtain prior authorisation from the Regulator prior to any processing if [a] that responsible party plans to—(a) [process a number identifying data subjects for a purpose other than the one for which the number is specifically intended

with the aim of linking the information together with information processed by other responsible parties, unless the number is used for the cases defined in Chapter 4];process any unique identifiers of data subjects—(i) for a purpose other than the one for which the identifier was specifically intended at

collection; and(ii) with the aim of linking the information together with information processed by other

responsible parties,unless the Regulator is satisfied that, in the circumstances of the case—(aa) the public interest in the processing outweighs, to a substantial degree, any

interference with the privacy of the data subject that could result from such processing; or

(bb) the processing involves a clear benefit to the data subject or a third party that outweighs, to a substantial degree, any interference with the privacy of the data subject or third party that could result from such processing;

(b) process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;

(c) process information for the purposes of credit reporting; [and] or(d) transfer special personal information, as referred to in section [26] 26 , or the personal

information of children as referred to in 34 , to [foreign countries without adequate information protection laws] a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 77 (a) .

90 The alternative proposal aims to clarify that offences may be created in terms of the regulations if necessary.91 Option proposed by Dr Oriani-Ambrosini.

42


Option:92

(d) transfer special personal information, as referred to in section [26] 26 or 34, to foreign countries without adequate information protection laws or in the absence of binding agreements.(2) The provisions of subsection (1) may be applied by the Regulator to other

types of information processing by law or regulation if such processing carries a particular risk for the legitimate interests of the data subject.

(3) [Part B of Chapter 6 will not be] This section and section 63 are not applicable if a code of conduct has been issued and has come into force in terms of Chapter 7 in a specific sector or sectors of society.

Responsible party to notify Regulator if processing is subject to prior [investigation] authorisation

[56] 63.(1) Information processing [under a code of conduct] as contemplated in section [55(3)]

62(1) must be notified as such by the responsible party to the Regulator.(2) Responsible parties may not carry out information processing that has been

notified to the Regulator in terms of subsection (1) until the Regulator has completed its investigation or until they have received notice that a more detailed investigation will not be conducted.

(3) In the case of the notification of information processing to which section [55(1)] 62(1) is applicable, the Regulator must inform the responsible party in writing within four weeks of the notification as to whether or not it will conduct a more detailed investigation.

(4) In the event that the Regulator decides to conduct a more detailed investigation, it must indicate the period within which it plans to conduct this investigation, which period must not exceed 13 weeks.

(5) On conclusion of the more detailed investigation referred to in subsection (4) the Regulator must issue a statement concerning the lawfulness of the information processing.

(6) A statement by the Regulator in terms of subsection (5), to the extent that the information processing is not lawful,93 is deemed to be an enforcement notice served in terms of section [90] 98 of this Act.

(7) A responsible party that has suspended its processing as required by subsection (2), and which has not received the Regulator’s decision within the time limits specified in subsections (3) and (4), may presume a decision in its favour and continue with its processing.

Failure to notify processing subject to prior authorisation

64. If section 63(1) or (2) is contravened, the responsible party is guilty of an offence and liable to a penalty as set out in section 110.

CHAPTER 7CODES OF CONDUCT

Issuing of codes of conduct

[57] 65.(1) The Regulator may from time to time issue [a code] codes of conduct.(2) A code of conduct must—

(a) incorporate all the [information protection principles] conditions for the lawful processing of personal information or set out obligations that provide a functional equivalent of all the obligations set out in those [principles] conditions; and

(b) prescribe how the [information protection principles] conditions for the lawful processing of personal information are to be applied, or are to be complied with, given the particular

92 Option proposed by Dr Oriani-Ambrosini.93 Proposed wording have been inserted in an attempt to clarify the meaning of subclause (6).

43


features of the sector or sectors of society in which the relevant responsible parties are operating.

(3) A code of conduct may apply in relation to any one or more of the following:(a) Any specified information or class of information;(b) any specified body or class of bodies;(c) any specified activity or class of activities; or(d) any specified industry, profession, or [calling] vocation or class of industries, professions, or

[callings] vocations.(4) A code of conduct must also—

(a) [in relation to any body that is not a public body, provide for controls in relation to the comparison, whether manually or by means of any electronic or other device, of personal information with other personal information for the purpose of producing or verifying information about an identifiable data subject] [provide for controls in relation to information matching programmes if such programmes are used within a specific sector;94] specify appropriate measures—(i) for information matching programmes if such programmes are used within a

specific sector; or(ii) for protecting the legitimate interests of data subjects insofar as automated

decision making, as referred to in section 76, is concerned; (b) provide for the review of the code by the Regulator; and(c) provide for the expiry of the code.

[Proposal] Process for issuing [of] codes of conduct

[58] 66.(1) The Regulator may issue a code of conduct under section [57] 65 [of this Act]—(a) on the Regulator’s own initiative, but [in] after consultation with affected stakeholders or a

body representing such stakeholders; or(b) on the application, in the prescribed form, [by of any person as provided in subsection (3). or—

(i)] by a body which is, in the opinion of the Regulator, sufficiently representative of any class of bodies, or of any industry, profession, or [calling] vocation as defined in the code[; and

(ii) if the code of conduct sought by the applicant is intended to apply in respect of the class of body, or the industry, profession, or calling, that the applicant represents,]

in respect of such class of [body] bodies or of any such industry, profession or vocation.(2) [Without limiting subsection (1), but subject to subsection (3), any person may apply to the Regulator for

the issuing of a code of conduct in the prescribed form submitted by the applicant.(3) An application may be made pursuant to subsection (2) only—

(a) by a body which is, in the opinion of the Regulator, sufficiently representative of any class of bodies, or of any industry, profession, or calling as defined in the code; and

(b) if the code of conduct sought by the applicant is intended to apply in respect of the class of body, or the industry, profession, or calling, that the applicant represents,

in respect of such class of body or of any such industry, profession or calling.(4) If an application is made to the Regulator pursuant to subsection (2), or if the Regulator intends to issue

a code on its own initiative, the] The Regulator must give notice in the Gazette that the issuing of a code of conduct is being considered, which notice must contain a statement that—(a) the details of the code of conduct being considered, including a draft of the proposed

code, may be obtained from the Regulator; and(b) submissions on the proposed code may be made in writing to the Regulator within such

period as is specified in the notice.[(5)] (3) The Regulator [must] may not issue a code of conduct unless it has

considered the submissions made to the Regulator in terms of subsection [(4)] (2) (b) , if any, and is satisfied that all persons affected by the proposed code have had a reasonable opportunity to be heard.

[(6)] (4) The decision as to whether an application for the issuing of a code has been successful must be made within a reasonable period which must not exceed 13 weeks.

Notification, availability and commencement of code

94 The proposed amendment aims to clarify the meaning of the paragraph by introducing the term “information matching programme” which is defined in clause 1.

44


[59] 67.(1) If a code of conduct is issued under section [57] 65 the Regulator must ensure that—(a) [the Regulator must ensure that] there is published in the Gazette, as soon as reasonably

practicable after the code is issued, a notice indicating—(i) that the code has been issued; and(ii) where copies of the code are available for inspection free of charge and for

purchase; and(b) [the Regulator must ensure that] as long as the code remains in force, copies of it are available—

(i) on the Regulator’s website;(ii) for inspection by members of the public free of charge at the Regulator’s offices;

and(iii) for purchase or copying by members of the public at a reasonable price at the

Regulator’s offices.(2) A code of conduct issued under section [57] 65 comes into force on the 28th

day after the date of its notification in the Gazette or on such later date as may be specified in the code and is binding on every class or classes of body, industry, profession or [calling] vocation referred to therein.

Procedure for dealing with complaints95

[61] 68.(1) A code of conduct may prescribe procedures for making and dealing with complaints alleging a breach of the code, but no such provision may limit or restrict any provision of Chapter [8] 10.

(2) If the code sets out procedures for making and dealing with complaints, the Regulator must be satisfied that—(a) the procedures meet the—

(i) prescribed standards; and(ii) guidelines issued by the Regulator in terms of section [62] 70,relating to the making of and dealing with complaints;

(b) the code provides for the appointment of an independent adjudicator to whom complaints may be made;

(c) the code provides that, in performing his or her functions, and exercising his or her powers, under the code, an adjudicator for the code must have due regard to the matters listed in section [44(2)] 43;

(d) the code requires the adjudicator to prepare and submit a report, in a form satisfactory to the Regulator, to the Regulator within five months of the end of a financial year of the [Department of Justice and Constitutional Development] Regulator on the operation of the code during that financial year; and

(e) the code requires the report prepared for each year to specify the number and nature of complaints made to an adjudicator under the code during the relevant financial year.

(3) A responsible party or data subject who is aggrieved by a determination, including any declaration, order or direction that is included in the determination, made by an adjudicator[, other than the Regulator,] after [investigating] having investigated a complaint relating to the protection of personal information under an approved code of conduct, may submit [lodge] a complaint in terms of section 79(2) with the Regulator against the determination [on] , upon payment of a prescribed fee.

(4) The adjudicator’s determination continues to have effect unless and until the Regulator makes a determination under Chapter 10 relating to the complaint or unless the Regulator determines otherwise.

Amendment and revocation of codes

[60] 69.(1) The Regulator may amend or revoke a code of conduct issued under section [57] 65.

95 Clause moved to provide logical structure to this Part.

45


(2) The provisions of sections [57, 58, 59 and 61] 65 to 68 apply in respect of any amendment or revocation of a code of conduct.

[Procedure for dealing with complaints61.]96

Guidelines about codes of conduct

[62] 70.(1) The Regulator may provide written guidelines—(a) to assist bodies to develop codes of conduct or to apply approved codes of conduct;(b) relating to making and dealing with complaints under approved codes of conduct; and(c) about matters the Regulator may consider in deciding whether to approve a code of

conduct or a variation or revocation of an approved code of conduct.(2) Before providing guidelines for the purposes of subsection (1)(b), the

Regulator must give everyone the Regulator considers has a real and substantial legitimate interest in the matters covered by the proposed guidelines an opportunity to comment on them.

(3) The Regulator must publish guidelines provided under subsection (1) in the Gazette.

Register of approved codes of conduct

[63] 71.(1) The Regulator must keep a register of approved codes of conduct.(2) The Regulator may decide the form of the register and how it is to be kept.(3) The Regulator must make the register available to the public in the way that

the Regulator determines.(4) The Regulator may charge reasonable fees for—

(a) making the register available to the public; or(b) providing copies of, or extracts from, the register.

Review of operation of approved code of conduct

[64] 72.(1) The Regulator may, on its own initiative, review the operation of an approved code of conduct.

(2) The Regulator may do one or more of the following for the purposes of the review:(a) Consider the process under the code for making and dealing with complaints;(b) inspect the records of an adjudicator for the code;(c) consider the outcome of complaints dealt with under the code;(d) interview an adjudicator for the code; and(e) appoint experts to review those provisions of the code that the Regulator believes require

expert evaluation.(3) The review may inform a decision by the Regulator under section [60] 69 to

revoke the approved code of conduct with immediate effect or at a future date to be determined by the Regulator.

Effect of failure to comply with code

[65] 73.If a code issued under section 65 [57 of this Act] is in force, failure to comply with the code is deemed to be a breach of [an information protection principle] the conditions for the lawful processing of personal information referred to in Chapter 3 and is dealt with in terms of Chapter 10.

CHAPTER 8RIGHTS OF DATA SUBJECTS REGARDING UNSOLICITED ELECTRONIC

COMMUNICATIONS, DIRECTORIES AND AUTOMATED DECISION MAKING

96 Clause 61 has been moved to clause 68.

46


Unsolicited electronic communications

[66] 74.(1) The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or [electronic] e-mail is prohibited unless the data subject—(a) has given his, her or its consent to the processing; or(b) is, subject to subsection [(2)] (3), a customer of the responsible party.

(2) A responsible party may approach the data subject referred to in subsection (1) (a) only once in order to obtain the consent of the data subject to the processing of his, her or its personal information for the purpose of direct marketing by means of any form of electronic communication by the responsible party.97

(3) A responsible party may only process the personal information of a data subject who is a customer of the responsible party in terms of subsection (1)(b)—(a) if the responsible party has obtained the contact details of the data subject in the context

of the sale of a product or service;(b) for the purpose of direct marketing of the responsible party’s own similar products or

services; and(c) if the data subject has been given a reasonable opportunity to object, free of charge and in

a manner free of unnecessary formality, to such use of his, her or its electronic details—(i) at the time when the information was collected; and(ii) on the occasion of each communication with the data subject for the purpose of

marketing if the data subject has not initially refused such use.[(3)] (4) Any communication for the purpose of direct marketing must contain—

(a) details of the identity of the sender or the person on whose behalf the communication has been sent; and

(b) an address or other contact details to which the recipient may send a request that such communications cease.

(5) "Automatic calling machine", for purposes of subsection (1), means a machine that is able to do automated calls without human intervention.

Directories

[67] 75.(1) A data subject who is a subscriber to a printed or electronic directory of subscribers available to the public or obtainable through directory enquiry services, in which his, her or its personal information is included, must be informed, free of charge and before the information is included in the directory—(a) about the purpose of the directory; and(b) about any further uses to which the directory may possibly be put, based on search

functions embedded in electronic versions of the directory.(2) A data subject must be given a reasonable opportunity to object, free of

charge and in a manner free of unnecessary formality, to such use of his, her or its personal information or to request verification, confirmation or withdrawal of such information if the data subject has not initially refused such use.

(3) Subsections (1) and (2) do not apply to editions of directories that were produced in printed or off-line electronic form prior to the commencement of this section.

(4) If the personal information of data subjects who are subscribers to fixed or mobile public voice telephony services have been included in a public subscriber directory in conformity with the information protection principles prior to the commencement of this section, the personal information of such subscribers may remain included in this public directory in its printed or electronic versions, after having received the information required by subsection (1).

(5) "Subscriber", for purposes of this section, means any person who is party to a contract with the provider of publicly available electronic communications services for the supply of such services.

97 Provision has been inserted to clarify that responsible party may approach data subject once to obtain his or her consent.

47


Automated decision making

[68] 76.(1) Subject to subsection (2), [no one may] a data subject [has the right] may not [to] be subject to a decision which [are attached] results in legal consequences for [him or her] him, her or it, or which affects [him or her] him, her or it to a substantial degree, [that has been taken solely on the basis of] which is based solely on the basis of the automated processing of personal information intended to provide a profile of [certain aspects of his or her personality or personal habits,] such person including his or her performance at work, or his, her or its credit worthiness, reliability, location, health ,personal preferences and conduct .

(2) The provisions of subsection (1) do not apply if the decision—(a) has been taken in connection with the conclusion or execution of a contract, and—

(i) the request of the data subject in terms of the contract has been met; or(ii) appropriate measures have been taken to protect the data subject’s legitimate

interests; or(b) is governed by a law or code in which appropriate measures are specified for protecting

the legitimate interests of data subjects.(3) The appropriate measures, referred to in subsection (2)(a)(ii), must—

(a) provide an opportunity for a data subject to make representations about a decision referred to in subsection (1); and

(b) require a responsible party to provide a data subject with sufficient information about the underlying logic of the automated processing of the information relating to him or her to enable him or her to make representations in terms of paragraph (a).

CHAPTER 9TRANSBORDER INFORMATION FLOWS

Transfers of personal information outside Republic

[69] 77.(1) A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country unless—(a) the recipient of the information is subject to a law, [binding code of conduct], binding corporate

rules or [contract] binding agreement98 which provide an adequate level of protection that—(i) effectively upholds principles for reasonable processing of the information that are

substantially similar to the [information protection principles] conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and

(ii) includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country;

(b) the data subject consents to the transfer;(c) the transfer is necessary for the performance of a contract between the data subject and

the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request;

(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or

(e) the transfer is for the benefit of the data subject, and—(i) it is not reasonably practicable to obtain the consent of the data subject to that

transfer; and(ii) if it were reasonably practicable to obtain such consent, the data subject would be

likely to give it.(2) For the purpose of this section—

(a) “binding corporate rules” means personal information processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country; and

98 Amendment proposed by FIC.

48


(b) “group of undertakings” means a controlling undertaking and its controlled undertakings.

CHAPTER 10ENFORCEMENT

Interference with protection of personal information of data subject

[70] 78.For the purposes of this Chapter, interference with the protection of the personal information of a data subject consists, in relation to that data subject, of—(a) any breach of the [information protection principles set out] conditions for the lawful processing of

personal information as referred to in Chapter 3;(b) non-compliance with section [21, 47, 66, 67, 68 or 69] 22, 54, 74, 75, 76 or 77; or (c) a breach of the provisions of a code of conduct issued in terms of section [57] 65.

Complaints

[71] 79.(1) Any person may submit a complaint to the Regulator in the prescribed manner and form[—(a)] alleging interference with the protection of the personal information of a data subject[; or] .[(b)] (2) A responsible party or data subject may, in terms of section [61(3)] 68(3) ,

submit a complaint to the Regulator in the prescribed manner and form if [the data subject] he, she or it is aggrieved by the determination of an adjudicator.

Mode of complaints to Regulator

[72] 80.(1) A complaint to the Regulator [may] must be made [either orally or] in writing.(2) [A complaint made orally must be put in writing as soon as reasonably practicable.(3)] The Regulator must give such reasonable assistance as is necessary in the

circumstances to enable a person, who wishes to make a complaint to the Regulator, to put the complaint in writing.

[Investigation by Regulator99

[73. (1) The Regulator, after receipt of a complaint made in terms of section 71, must—(a) investigate any alleged interference with the protection of the personal information of a data subject in the prescribed

manner;(b) act, where appropriate, as conciliator in relation to any such interference in the prescribed manner; and(c) take such further action as is contemplated by this Chapter.

(2) The Regulator may, on its own initiative, commence an investigation under subsection (1).

Action on receipt of complaint

74. (1) On receiving a complaint in terms of section 71, the Regulator may—(a) investigate the complaint; or(b) decide, in accordance with section 75, to take no action on the complaint.

(2) The Regulator must, as soon as is reasonably practicable, advise the complainant and the responsible party to whom the complaint relates of the course of action that the Regulator proposes to adopt under subsection (1).]

Action on receipt of complaint

81. (1) On receiving a complaint in terms of section 79, the Regulator may—(a) conduct a pre-investigation as referred to in section 84;(b) act, at any time during the investigation and where appropriate, as conciliator in relation to

any interference with the protection of the personal information of a data subject in the prescribed manner;

(c) decide, in accordance with section 82, to take no action on the complaint or, as the case may be, require no further action in respect of the complaint;

(d) conduct a full investigation of the complaint;

99 Provisions of clause 74 are closely related to that of clause 73. Technical Committee requested that provisions of clauses 73 and 74 be combined. See clause 81.

49


(e) refer the complaint, in terms of section 96A, to the Enforcement Committee; or(f) take such further action as is contemplated by this Chapter.

(2) The Regulator must, as soon as is reasonably practicable, advise the complainant and the responsible party to whom the complaint relates of the course of action that the Regulator proposes to adopt under subsection (1).

(3) The Regulator may, on its own initiative, commence an investigation into the interference with the protection of the personal information of a data subject as referred to in section 78.

Regulator may decide to take no action on complaint

[75] 82.(1) The Regulator, after investigating a complaint received in terms of section [71] 79, may decide to take no action or, as the case may be, require no further action in respect of the complaint if, in the Regulator’s opinion—(a) the length of time that has elapsed between the date when the subject matter of the

complaint arose and the date when the complaint was made is such that an investigation of the complaint is no longer practicable or desirable;

(b) the subject matter of the complaint is trivial;(c) the complaint is frivolous or vexatious or is not made in good faith;(d) the complainant does not desire that action be taken or, as the case may be, continued;(e) the complainant does not have a sufficient personal interest in the subject matter of the

complaint; or(f) in cases where the complaint relates to a matter in respect of which a code of conduct is

in force and the code of conduct makes provision for a complaints procedure, the complainant has failed to pursue, or to pursue fully, an avenue of redress available under that complaints procedure that it would be reasonable for the complainant to pursue.

(2) Notwithstanding anything in subsection (1), the Regulator may in its discretion decide not to take any further action on a complaint if, in the course of the investigation of the complaint, it appears to the Regulator that, having regard to all the circumstances of the case, any further action is unnecessary or inappropriate.

(3) In any case where the Regulator decides to take no action, or no further action, on a complaint, the Regulator must inform the complainant of that decision and the reasons for it.

Referral of complaint to regulatory body

[76] 83.(1) If, on receiving a complaint in terms of section [71] 79, the Regulator considers that the complaint relates, in whole or in part, to a matter that is more properly within the jurisdiction of another regulatory body established in terms of any law 100, the Regulator must forthwith determine whether the complaint should be dealt with, in whole or in part, under this Act after consultation with the body concerned.

(2) If the Regulator determines that the complaint should be dealt with by another body, the Regulator must forthwith refer the complaint to that body to be dealt with accordingly and must notify the complainant of the referral.

Pre-investigation proceedings of Regulator

[77] 84.Before proceeding to investigate any matter in terms of this Chapter, the Regulator must, in the prescribed manner, inform—(a) the complainant, the data subject to whom the investigation relates (if not the complainant)

and any person alleged to be aggrieved (if not the complainant), of the Regulator’s intention to conduct the investigation; and

(b) the responsible party to whom the investigation relates of the—(i) details of the complaint or, as the case may be, the subject matter of the

investigation; and

100 Wording inserted to clarify what is meant with term “regulatory body”.

50


(ii) right of that responsible party to submit to the Regulator, within a reasonable period, a written response in relation to the complaint or, as the case may be, the subject-matter of the investigation.

Settlement of complaints

[78] 85.If it appears from a complaint, or any written response made in relation to a complaint under section [77(b)(ii)] 84 (b) (ii) , that it may be possible to secure—(a) a settlement between any of the parties concerned; and(b) if appropriate, a satisfactory assurance against the repetition of any action that is the

subject matter of the complaint or the doing of further actions of a similar kind by the person concerned,

the Regulator may, without investigating the complaint or, as the case may be, investigating the complaint further, in the prescribed manner, use its best endeavours to secure such a settlement and assurance.

Investigation proceedings of Regulator101

[79] 86.For the purposes of the investigation of a complaint the Regulator may—(a) summon and enforce the appearance of persons before the Regulator and compel them

to give oral or written evidence on oath and to produce any records and things that the Regulator considers necessary to investigate the complaint, in the same manner and to the same extent as the High Court;

(b) administer oaths;(c) receive and accept any evidence and other information, whether on oath, by affidavit or

otherwise, that the Regulator sees fit, whether or not it is or would be admissible in a court of law;

(d) at any reasonable time, subject to section [80] 87, enter and search any premises occupied by a responsible party;

(e) [converse in] conduct a private interview with any person in any premises entered under section [82] 89 subject to section [80] 87; and

(f) otherwise carry out in those premises any inquiries that the Regulator sees fit in terms of section [80] 87.

Option102

Investigation proceedings of Regulator

[79] 86.For the purposes of the investigation of a complaint the Regulator may—(a) [summon and enforce the appearance of persons] invite a person to appear before the Regulator

and [compel them] to give oral or written evidence on oath and [to] produce any records and things that the Regulator considers necessary to investigate the complaint, [in the same manner and to the same extent as the High Court]; Provided that if such person fails to voluntary abide by with such invitation, the Regulator may, on probable and good cause shown, approach the High Court for a warrant to enforce the appearance of such person or the production of such records or things, and further provided that the High Court may draw no inference from such person’s failure to abide by such invitation, and further provided that no-one may be compelled to give oral or written evidence which may incriminate him or her;

(b) administer oaths;(c) receive and accept any evidence and other information, whether on oath, by

affidavit or otherwise, that the Regulator sees fit, whether or not it is or would be admissible in a court of law; and

101 The need for the clause was questioned. Other statutory bodies, such as Public Protector and Human Rights Commission, have similar powers to ensure co-operation during investigations. However, terminology used differs, for example, other legislation refer to written notices, determinations or directions. All of which are delivered by an authorized person or sheriff. Non-compliance with such notices, determinations or directions is met with a criminal sanction.


51


(d) at any reasonable time, subject to section [80] 87, enter and search any premises occupied by a responsible party;

[(e) converse in private with any person in any premises entered under section 82 subject to section 80; and(f) otherwise carry out in those premises any inquiries that the Regulator sees fit in terms of section 80].

Issue of warrants

[80] 87.(1) A judge of the High Court, a regional magistrate or a magistrate, if satisfied by information on oath supplied by the Regulator that there are reasonable grounds for suspecting that—(a) a responsible party is interfering with the protection of the personal information of a data

subject; or(b) an offence under this Act has been or is being committed,and that evidence of the contravention or of the commission of the offence is to be found on any premises specified in the information, that are within the jurisdiction of that judge or magistrate, may, subject to subsection (2), grant a warrant to enter and search such premises.

(2) A warrant issued under subsection (1) authorises [the Regulator or any of its officers or staff] any of the Regulator’s members or staff members, subject to section [82] 89, at any time within seven days of the date of the warrant to enter the premises as identified in the warrant, to search them, to inspect, examine, operate and test any equipment found there which is used or intended to be used for the processing of personal information and to inspect and seize any record, other material or equipment found there which may be such evidence as is mentioned in that subsection.

Requirements for issuing of warrant

[81] 88.(1) A judge or magistrate must not issue a warrant under section [80] 87 unless satisfied that —(a) the Regulator has given seven days’ notice in writing to the occupier of the premises in

question demanding access to the premises;(b) either—

(i) access was demanded at a reasonable hour and was unreasonably refused; or(ii) although entry to the premises was granted, the occupier unreasonably refused to

comply with a request by any of the Regulator’s members [or officers] or staff to permit the members or the [officer or member] members of staff to do any of the things referred to in section [80(2)] 87(2); and

(c) that the occupier, has, after the refusal, been notified by the Regulator of the application for the warrant and has had an opportunity of being heard on the question whether the warrant should be issued.

(2) Subsection (1) does not apply if the judge or magistrate is satisfied that the case is one of urgency or that compliance with that subsection would defeat the object of the entry.

(3) A judge or magistrate who issues a warrant under section [80] 87 must also issue two copies of it and certify them clearly as copies.

Execution of warrants

[82] 89.(1) A police officer who is assisting a person authorised to conduct an entry and search in terms of a warrant issued under section [80] 87 may overcome resistance to the entry and search by using such force as is reasonably necessary.

(2) A warrant issued under this section must be executed at a reasonable hour unless it appears to the person executing it that there are reasonable grounds for suspecting that the evidence in question would not be found if it were so executed.

(3) If the person who occupies the premises in respect of which a warrant is issued under section [80] 87 is present when the warrant is executed, he or she must be shown the warrant and supplied with a copy of it, and if that person is not present a copy of the warrant must be left in a prominent place on the premises.

52


(4) A person seizing anything in pursuance of a warrant under section [80] 87 must give a receipt to the occupier or leave the receipt on the premises.

(5) Anything so seized may be retained for as long as is necessary in all circumstances but the person in occupation of the premises in question must be given a copy of any documentation that is seized if he or she so requests and the person executing the warrant considers that it can be done without undue delay.

(6) A person authorised to conduct an entry and search in terms of section [80] 87 must be accompanied and assisted by a police officer.

(7) A person who enters and searches any premises under this section must conduct the entry and search with strict regard for decency and order, and with regard to each person’s right to dignity, freedom, security and privacy.

(8) A person who enters and searches premises under this section must before questioning any person—(a) advise that person of the right to be assisted at the time by an advocate or attorney; and(b) allow that person to exercise that right.

(9) No self-incriminating answer given or statement made to a person who conducts a search in terms of a warrant issued under section [80] 87 is admissible as evidence against the person who gave the answer or made the statement in criminal proceedings, except in criminal proceedings for perjury or in which that person is tried for an offence contemplated in section [97] 105 and then only to the extent that the answer or statement is relevant to prove the offence charged.

Matters exempt from search and seizure

[83] 90.If the Regulator has [authorised the processing of personal information] granted an exemption in terms of section [34] 37, that information is not subject to search and seizure empowered by a warrant issued under section [80] 87.

Communication between legal adviser and client exempt

[84] 91.(1) Subject to the provisions of this section, the powers of search and seizure conferred by a warrant issued under section [80] 87 must not be exercised in respect of—(a) any communication between a professional legal adviser and his or her client in

connection with the giving of legal advice to the client with respect to his or her obligations, liabilities or rights; or

(b) any communication between a professional legal adviser and his or her client, or between such an adviser or his or her client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act, including proceedings before a court, and for the purposes of such proceedings.

(2) Subsection (1) applies also to—(a) any copy or other record of any such communication as is mentioned therein; and(b) any document or article enclosed with or referred to in any such communication if made in

connection with the giving of any advice or, as the case may be, in connection with or in contemplation of and for the purposes of such proceedings as are mentioned therein.

Objection to search and seizure

[85] 92.If the person in occupation of any premises in respect of which a warrant is issued under this Act objects to the inspection or seizure under the warrant of any material on the ground that it—(a) contains privileged information and refuses the inspection or removal of such article or

document, the person executing the warrant or search must, if he or she is of the opinion that the article or document contains information that has a bearing on the investigation and that such information is necessary for the investigation, request the Registrar of the High Court which has jurisdiction or his or her delegate, to attach and remove that article or document for safe custody until a court of law has made a ruling on the question whether the information concerned is privileged or not; or

53


(b) consists partly of matters in respect of which those powers are not exercised, he or she must, if the person executing the warrant so requests, furnish that person with a copy of so much of the material as is not exempt from those powers.

Return of warrants

[86] 93.A warrant issued under section [80] 87 must be returned to the court from which it was issued—(a) after being executed; or(b) if not executed within the time authorised for its execution,and the person who has executed the warrant must make an endorsement on it stating what powers have been exercised by him or her under the warrant.

Assessment

[87] 94.(1) The Regulator, on its own initiative, or at the request by or on behalf of the responsible party, data subject or any other person must make an assessment in the prescribed manner [prescribed] of whether an instance of processing of personal information complies with the provisions of this Act.

(2) The Regulator must make the assessment if it appears to be appropriate, unless, where the assessment is made on request, the Regulator has not been supplied with such information as it may reasonably require in order to—(a) satisfy itself as to the identity of the person making the request; and(b) enable it to identify the action in question.

(3) The matters to which the Regulator may have regard in determining whether it is appropriate to make an assessment include—(a) the extent to which the request appears to it to raise a matter of substance[, and if the

assessment is made on request—](b) any undue delay in making the request; and(c) whether or not the person making the request is entitled to make an application [under

Principle 8] in terms of section 23 or 24 in respect of the personal information in question.103

(4) If the Regulator has received a request under this section it must notify the requester—(a) whether it has made an assessment as a result of the request; and(b) to the extent that it considers appropriate, having regard in particular to any exemption

which has been granted by the Regulator in terms of section 37 from [Principle 8] section 23 or 24 applying in relation to the personal information concerned, of any view formed or action taken as a result of the request.

Information notice

[88] 95.(1) If the Regulator—(a) has received a request under section [87] 94 in respect of any processing of personal

information; or(b) reasonably requires any information for the purpose of determining whether the

responsible party has interfered or is interfering with the personal information of a data subject,

the Regulator may serve the responsible party with an information notice requiring the responsible party to furnish the Regulator, within a specified period, in a form specified in the notice, with [an independent auditor’s] a report indicating that the processing is taking place in compliance with the provisions of the Act, or with such information relating to the request or to compliance with the Act as is so specified.

(2) An information notice must contain particulars of the right of appeal conferred by section [92] 100, and—

103 Proposed amendment aims to clarify meaning of clause and to harmonise it with clause 38(1)(b)(vi).

54


(a) in a case falling within subsection (1)(a), a statement that the Regulator has received a request under section [87] 94 in relation to the specified processing; or

(b) in a case falling within subsection (1)(b), a statement that the Regulator regards the specified information as relevant for the purpose of determining whether the responsible party has complied, or is complying, with the [information protection principles] conditions for the lawful processing of personal information and the reasons for regarding it as relevant for that purpose.

(3) Subject to subsection (5), the period specified in an information notice must not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the information need not be furnished pending the determination or withdrawal of the appeal.

(4) If the Regulator considers that the information is required as a matter of urgency, it may include in the notice a statement to that effect and a statement of its reasons for reaching that conclusion, and in that event subsection (3) does not apply.

(5) A notice in terms of subsection (4) may not require the information to be furnished before the end of a period of three days beginning with the day on which the notice is served.

(6) An information notice may not require a responsible party to furnish the Regulator with any communication between a—(a) professional legal adviser and his or her client in connection with the giving of legal advice

on the client’s obligations, liabilities or rights under this Act; or(b) professional legal adviser and his or her client, or between such an adviser or his or her

client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before a court) and for the purposes of such proceedings.

(7) In subsection (6) references to the client of a professional legal adviser include any person representing such a client.

(8) An information notice may not require a responsible party to furnish the Regulator with information that would, by revealing evidence of the commission of any offence other than an offence under this Act, expose the responsible party to criminal proceedings.

(9) The Regulator may cancel an information notice by written notice to the responsible party on whom it was served.

[(10) After completing the assessment referred to in section 87 the Regulator—(a) must report to the responsible party the results of the assessment and any recommendations that the Regulator considers

appropriate; and(b) may, in appropriate cases, require the responsible party, within a specified time, to inform the Regulator of any action taken

or proposed to be taken to implement the recommendations contained in the report or reasons why no such action has been or is proposed to be taken.

(11) The Regulator may make public any information relating to the personal information management practices of a responsible party that has been the subject of an assessment under this section if the Regulator considers it in the public interest to do so.

(12) A report made by the Regulator under subsection (10) is deemed to be the equivalent of an enforcement notice in terms of section 90.]104

Parties to be informed of result of assessment

96. (1) After completing the assessment referred to in section 94 the Regulator—(a) must report to the responsible party the results of the assessment and any

recommendations that the Regulator considers appropriate; and(b) may, in appropriate cases, require the responsible party, within a specified time, to inform

the Regulator of any action taken or proposed to be taken to implement the recommendations contained in the report or reasons why no such action has been or is proposed to be taken.

104 Subclauses (10) to (12) inserted in separate clause to place better emphasis on the requirement that parties must be informed. The question is raised, in view thereof that a responsible party, a data subject or any other person may request an assessment, whether clause 95(1) should also require that a data subject or other person (if any of them requested an assessment) should be informed of the result of the assessment.

55


(2) The Regulator may make public any information relating to the personal information management practices of a responsible party that has been the subject of an assessment under this section if the Regulator considers it in the public interest to do so.

(3) A report made by the Regulator under subsection (1) is deemed to be the equivalent of an enforcement notice in terms of section 98.

Matters referred to Enforcement Committee

96A. (1) After completing the investigation of a complaint or other matter in terms of this Act, the Regulator may refer such complaint or other matter to the Enforcement Committee for consideration, a finding in respect of the complaint or other matter and a recommendation in respect of the proposed action to be taken by the Regulator as referred to in section 50.

(2) The Regulator may prescribe the procedure to be followed by the Enforcement Committee, including—( a ) the manner in which the responsible party and data subject may make

submissions to the Enforcement Committee;(b) the opportunity afforded to the parties who make submissions to the Enforcement

Committee to make use of legal or other representation;(c) the period within which the Enforcement Committee must make a finding and

submit its recommendation to the Regulator in respect of the complaint or other matter; and

(d) the manner in which the Enforcement Committee may finalise urgent matters.

Parties to be informed of developments during and result of investigation

[89] 97.If an investigation is made following a complaint, and—(a) the Regulator believes that no interference with the protection of the personal information

of a data subject has taken place and therefore does not serve an enforcement notice;(b) the Regulator has referred the complaint to the Enforcement Committee for consideration

in terms of section 96A;[(b)] (c) an enforcement notice is served in terms of section [90] 98;[(c)] (d) a served enforcement notice is cancelled in terms of section [91] 99;[(d)] (e) an appeal is lodged against the enforcement notice for cancellation or variation of the

notice in terms of section [92] 100; or[(e)] (f) an appeal against an enforcement notice is allowed, the notice is substituted or the appeal

is dismissed in terms of section [93] 101,the Regulator must inform the complainant and the responsible party, as soon as reasonably practicable, in the manner prescribed of any development mentioned in paragraphs (a) to [(e)] (f) and the result of the investigation.

Enforcement notice

[90] 98.(1) If the Regulator, after having considered the recommendation of the Enforcement Committee in terms of section 50 105 , is satisfied that a responsible party has interfered or is interfering with the protection of the personal information of a data subject as referred to in section 78, the Regulator may serve the responsible party with an enforcement notice requiring the responsible party to do either or both of the following:(a) To take specified steps within a period specified in the notice, or to refrain from taking

such steps; or(b) to stop processing personal information specified in the notice, or to stop processing

personal information for a purpose or in a manner specified in the notice within a period specified in the notice.

(2) An enforcement notice must contain—

105 See footnote under clause 50.

56


(a) a statement indicating the nature of the interference with the protection of the personal information of the data subject and the reasons for reaching that conclusion; and

(b) particulars of the rights of appeal conferred by section [92] 100.(3) Subject to subsection (4), an enforcement notice may not require any of the

provisions of the notice to be complied with before the end of the period within which an appeal may be brought against the notice and, if such an appeal is brought, the notice need not be complied with pending the determination or withdrawal of the appeal.

(4) If the Regulator considers that an enforcement notice should be complied with as a matter [or] of urgency it may include in the notice a statement to that effect and a statement of its reasons for reaching that conclusion, and in that event subsection (3) does not apply.

(5) A notice in terms of subsection (4) may not require any of the provisions of the notice to be complied with before the end of a period of three days beginning with the day on which the notice is served.

Option:106

(5) A notice in terms of subsection (4) may not require any of the provisions of the notice to be complied with before the end of a period of [three] ten days beginning with the day on which the notice is served.

Cancellation of enforcement notice

[91] 99.(1) A responsible party on whom an enforcement notice has been served may, at any time after the expiry of the period during which an appeal may be brought against that notice, apply in writing to the Regulator for the cancellation or variation of that notice on the ground that, by reason of a change of circumstances, all or any of the provisions of that notice need not be complied with in order to ensure compliance with the [information protection principles] conditions for the lawful processing of personal information.

(2) If the Regulator considers that all or any of the provisions of an enforcement notice need not be complied with in order to ensure compliance with [the information protection principle or principles] a condition for the lawful processing of personal information or conditions to which it relates, it may cancel or vary the notice by written notice to the responsible party on whom it was served.

Right of appeal

[92] 100. (1) A responsible party on whom an information or enforcement notice has been served may, within 30 {{Option: Dr Oriani-Ambrosini: 180}} days of receiving the notice, appeal to the High Court having jurisdiction for the setting aside or variation of the notice.

(2) A complainant, who has been informed of the result of the investigation in terms of section [75(3) or 91,]107 82(3) or 99 , may, within [30] 180 days of receiving the result, appeal to the High Court having jurisdiction against the result.

Consideration of appeal

[93] 101. (1) If in an appeal under section [92] 100 the court considers—(a) that the notice or decision against which the appeal is brought is not in accordance with

the law; or(b) that the notice or decision involved an exercise of discretion by the Regulator that ought to

have been exercised differently,the court must allow the appeal and may set aside the notice or substitute such other notice or decision as should have been served or made by the Regulator.

(2) In such an appeal, the court may review any determination of fact on which the notice in question was based.

106 Option proposed by Dr Oriani-Ambrosini (on 24/2/11).107 The question is raised whether any party should be allowed to appeal to the high court.

57


Civil remedies

[94] 102. (1) A data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of any provision [of this Act] referred to in section [70] 78, whether or not there is intent or negligence on the part of the responsible party.

(2) In the event of a breach the responsible party may raise any of the following defences against an action for damages: (a) [Vis maior] Vis major ; (b) consent of the plaintiff;(c) fault on the part of the plaintiff;(d) compliance was not reasonably practicable in the circumstances of the particular case; or(e) the Regulator [authorised the breach] has granted an exemption in terms of section [34] 37.

(3) A court hearing proceedings in terms of subsection (1) may award an amount that is just and equitable, including—(a) payment of damages as compensation for patrimonial and non-patrimonial loss suffered

by a data subject as a result of breach of the provisions of this Act;(b) aggravated damages, in a sum determined in the discretion of the Court;(c) interest; and(d) costs of suit on such scale as may be determined by the Court.

(4) Any amount awarded to the Regulator in terms of subsection (3) must be dealt with in the following manner:(a) the full amount must be deposited into a specifically designated trust account established

by the Regulator with an appropriate financial institution;(b) as a first charge against the amount, the Regulator may recover all reasonable expenses

incurred in bringing proceedings at the request of a data subject in terms of subsection (1) and in administering the distributions made to the data subject in terms of subsection (5); and

(c) the balance, if any (in this section referred to as the “distributable balance”), must be distributed by the Regulator to the data subject at whose request the proceedings were brought.

(5) Any amount not distributed within three years from the date of the first distribution of payments in terms of subsection [(2)] (4), accrue to the Regulator in the Regulator’s official capacity.

(6) The distributable balance must be distributed on a pro rata basis to the data subject referred to in subsection (1).

(7) A Court issuing any order under this section must order it to be published in the Gazette and by such other appropriate public media announcement as the Court considers appropriate.

(8) Any civil action instituted under this section may be withdrawn, abandoned or compromised, but any agreement or compromise must be made an order of Court.

(9) If civil action has not been instituted, any agreement or settlement, if any, may, on application to the Court by the Regulator after due notice to the other party, be made an order of Court and must be published in the Gazette and by such other public media announcement as the Court considers appropriate.

CHAPTER 11OFFENCES AND PENALTIES

Obstruction of Regulator

[95] 103. Any person who hinders, obstructs or unlawfully influences the Regulator or any person acting on behalf of or under the direction of the Regulator in the performance of the Regulator’s duties and functions under this Act, is guilty of an offence.

Breach of confidentiality

58


[96] 104. Any person who contravenes the provisions of section [47] 54, is guilty of an offence.

Obstruction of execution of warrant

[97] 105. Any person who—(a) intentionally obstructs a person in the execution of a warrant issued under section [80] 87;

or(b) fails without reasonable excuse to give any person executing such a warrant such

assistance as he or she may reasonably require for the execution of the warrant,is guilty of an offence.

Failure to comply with enforcement or information notices

[98] 106. (1) A responsible party which fails to comply with an enforcement notice served in terms of section [90] 98, is guilty of an offence.

(2) A responsible party which, in purported compliance with an information notice served in terms of section 95—(a) makes a statement knowing it to be false; or(b) recklessly makes a statement which is false, in a material respect,is guilty of an offence.

Offences by witnesses108

107. (1) Any person summoned in terms of section 86 to attend and give evidence or to produce any book, document or object before the Regulator who, without sufficient cause fails—(a) to attend at the time and place specified in the summons;(b) to remain in attendance until conclusion of the proceedings or until he or she is excused

by the Chairperson of the Regulator from further attendance;(c) having attended, refuses to be sworn or to make an affirmation as witness after he or she

has been required by the Chairperson of the Regulator to do so;(d) having been sworn or having made an affirmation, to answer fully and satisfactorily any

question lawfully put to him or her; or(e) to produce any book, document or object in his or her possession or custody or under his

or her control, which he or she has been summoned to produce,is guilty of an offence.

(2) Any person who after having been sworn or having made an affirmation, gives false evidence before the Regulator on any matter, knowing such evidence to be false or not knowing or believing it to be true, is guilty of an offence.

Unlawful acts by responsible party in connection with unique identifier109

108. (1) A responsible party who contravenes the provisions of section 8 insofar as those provisions relate to the processing of an account number of a data subject is, subject to subsections (2) and (3), guilty of an offence.

(2) The contravention referred to in subsection (1) must─(a) be of a serious or persistent nature; and(b) likely cause substantial damage or distress to the data subject.

(3) The responsible party must─(a) have known or ought to have known that─

(i) there was a risk that the contravention would occur; or(ii) such contravention would likely cause substantial damage or distress to the data

subject; and

108 Provision moved from clause 45(4) (as introduced) with reference to section 6 of the Commissions Act.109 If the proposal with regard to the inclusion of administrative fines is not accepted, an alternative approach for purposes of

strengthening the enforcement powers of the Regulator would be to extend the ambit of the offences to all processing.

59


(b) have failed to take reasonable steps to prevent the contravention.(4) Whenever a responsible party is charged with an offence under subsection

(1), it is a valid defence to such a charge to contend that he or she has taken all reasonable steps to comply with the provisions of section 8.

(5) “Account number”, for purposes of this section and section 109, means any unique identifier that has been assigned—(a) to one data subject only; or(b) jointly to more than one data subject,by a financial or other institution which enables the data subject, referred to in paragraph (a) , to access his, her or its own funds or to access credit facilities or which enables a data subject, referred to in paragraph (b) , to access joint funds or to access joint credit facilities.

Unlawful acts by third parties in connection with unique identifier

109. (1) A person who knowingly or recklessly, without the consent of the responsible party— (a) obtains or discloses an account number of a data subject; or (b) procure the disclosure of an account number of a data subject to another person, is, subject to subsection (2), guilty of an offence.

(2) Whenever a person is charged with an offence under subsection (1), it is a valid defence to such a charge to contend that — (a) the obtaining, disclosure or procuring of the account number was—

(i) necessary for the purpose of the prevention, detection, investigation or proof of an offence; or

(ii) required or authorised in terms of the law or in terms of a court order; (b) he or she acted in the reasonable belief that he or she was legally entitled to obtain or

disclose the account number or, as the case may be, to procure the disclosure of the account number to the other person;

(c) he or she acted in the reasonable belief that he or she would have had the consent of the responsible party if the responsible party had known of the obtaining, disclosing or procuring and the circumstances of it; or

(d) in the particular circumstances the obtaining, disclosing or procuring was in the public interest.

(3) A person who sells an account number which he or she has obtained in contravention of subsection (1), is guilty of an offence.

(4) A person who offers to sell the account number of a data subject which that person— (a) has obtained; or (b) subsequently obtained,in contravention of subsection (1), is guilty of an offence.

(5) For the purposes of subsection (4), an advertisement indicating that an account number of a data subject is or may be for sale is an offer to sell the information.

[Penal sanctions] Penalties

[99] 110. Any person convicted of an offence in terms of this Act, is liable, in the case of a contravention of—(a) [in the case of a contravention of section 95] section 103, 106(1), 107(2), 108(1), 109(1), (3) or (4) to a

fine or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment; or

(b) [in any other case] section 61(1) or (2), 64, 104, 105, 106(2) or 107(1) , to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment.

Magistrate’s Court jurisdiction to impose penalties

60


[100] 111. Despite anything to the contrary contained in any other law, a Magistrate’s Court has jurisdiction to impose any penalty provided for in section [99] 110.

Option110

To delete clause 111.

Option111

Administrative fines111A.(1) If a responsible party is alleged to have committed an offence in

terms of this Act , the Regulator may cause to be delivered by hand to that person (hereinafter referred to as the infringer) an infringement notice which must contain the particulars contemplated in subsection (2).

(2) A notice referred to in subsection (1) must—(a) specify the name and address of the infringer;(b) specify the particulars of the alleged offence; (c) specify the amount of the administrative fine payable, which amount may, subject

to subsection (10), not exceed R10 million;(d) inform the infringer that, not later than 30 days after the date of service of the

infringement notice, the infringer may— (i) pay the administrative fine; (ii) make arrangements with the Regulator to pay the administrative fine in

instalments; or (iii) elect to be tried in court on a charge of having committed the alleged

offence referred to in terms of this Act ; and (e) state that a failure to comply with the requirements of the notice within the time

permitted, will result in the administrative fine becoming recoverable as contemplated in subsection (5).

(3) When determining an appropriate fine, the Regulator must consider the following factors: (a) The nature of the personal information involved; (b) the duration and extent of the contravention;(c) the number of data subjects affected or potentially affected by the contravention; (d) whether or not the contravention raises an issue of public importance;(e) the likelihood of substantial damage or distress, including injury to feelings or

anxiety suffered by data subjects; (f) whether the responsible party or a third party could have prevented the

contravention from occurring; (g) any failure to carry out a risk assessment or a failure to operate good policies,

procedures and practices to protect personal information; and(h) whether the responsible party has previously contravened section 105 of the Act.

(4) If an infringer elects to be tried in court on a charge of having committed the alleged offence in terms of this Act , the Regulator must hand the matter over to the prosecuting authority and inform the infringer accordingly.

(5) If an infringer fails to comply with the requirements of a notice, the Regulator may file with the clerk or registrar of any competent court a statement certified by him or her as correct, setting forth the amount of the administrative fine payable by the infringer, and such statement thereupon has all the effects of a civil judgment lawfully given in that court in favour of the Regulator for a liquid debt in the amount specified in the statement.

110 Technical Committee questioned why jurisdiction of magistrates’ court should be extended and whether it is a general legislative practice. In access of 113 different pieces of legislation contain provisions that extend the jurisdiction of the aforementioned courts in similar fashion, for example, s19 of Act 36 of 1947, s2A(3) of Act 71 of 1962, s45(2) of Act 15 of 1976, s35(3) of Act 53 of 1976, s8 of Act 9 of 1978, s25(2) of Act 62 of 1998, s47(2)(b) of Act 12 of 1998, s70(3) of Act 18 of 1998, s162 of Act 34 of 2005 and s217 of Act 71 of 2008.

111 Heading of Chapter 11 will have to be amended as follows: OFFENCES, [AND] PENALTIES AND ADMINISTRATIVE FINES if option is approved.

61


(6) The Regulator may not impose an administrative fine contemplated in this section if the responsible party concerned has been charged with an offence in terms of this Act in respect of the same set of facts.

(7) No prosecution may be instituted against a responsible party if the responsible party concerned has paid an administrative fine in terms of this section in respect of the same set of facts.

(8) An administrative fine imposed in terms of this section does not constitute a previous conviction as contemplated in Chapter 27 of the Criminal Procedure Act, 1977 (Act No. 51 of 1977).

(9) A fine payable in terms of this section must be paid into the National Revenue Fund referred to in section 213 of the Constitution.

Option:(10) The Minister may, from time to time and after consultation with the

Regulator, by notice in the Gazette , adjust the amount referred to in subsection (2) (c) in accordance with the average of the consumer price index, as published from time to time in the Gazette , for the immediately preceding period of 12 months multiplied by the number of years that the amount referred to in subsection (2) (c) has remained the same.

CHAPTER 12GENERAL PROVISIONS

[Repeal and amendment] Amendment of laws112

[101] 112. The laws mentioned in the Schedule are amended to the extent indicated in the third column of the Schedule.

Fees

113. (1) The Minister may─(a) subject to subsection (2) and section 115 , upon request by and after consultation with the

Regulator, prescribe an annual administrative fee to be paid by those responsible parties whose particulars have been included in the Register referred to in section 57(2) ; and

(b) subject to section 115 and after consultation with the Regulator prescribe fees to be paid by data subjects─(i) to responsible parties as referred to in section 23(1) (b) (ii) ; and (ii) to the Regulator as referred to in section 68(3) .

(2) The Regulator may only request the Minister to prescribe an annual administrative fee referred to in subsection (1) (a) after a period of at least three years have elapsed after the implementation of the Act for the purposes of ensuring the financial independence of the Regulator.

(3) Different fees may be prescribed in respect of different categories of responsible parties and data subjects referred to in subsection (1) (a) and (b) , respectively.

(4) Regulations made in terms of subsection (1) (a) may, in respect of any contravention thereof or failure to comply therewith, prescribe as a penalty a fine or imprisonment which does not exceed five times the amount of the annual administrative fee concerned.

Regulations

[102] 114. [The Minister may make regulations on—(a) any matter which this Act requires or permits to be prescribed;(b) the monitoring of this Act and the establishment of the Regulator; and(c) any other matter which may be necessary for the application of this Act.]

(1) The Minister may, subject to section 115, make regulations relating to —

112 It is recommended that clause 108 be inserted before clause 113 “Short title and commencement”.

62


(a) the establishment of the Regulator ; and (b) fees referred to in section 113(1).

(2) The Regulator may, subject to section 115, make regulations relating to─(a) the manner in terms of which a data subject may object to the processing of personal

information as referred to in section 11(3) ; (b) the manner in which a data subject may submit a request to a responsible party as

referred to in section 24(1);(c) the processing of health information by certain responsible parties as referred to in section

32(6);(d) the responsibilities of information officers as referred to in section 55(1) (e) ; (e) the procedure in terms of which notifications must be submitted as referred to in section

58(5);(f) the categories of processing that are exempt from notification as referred to in section

59(2);(g) the form in terms of which an application for a code of conduct must be submitted to the

Regulator as referred to in section 66(1) (b) ; (h) the manner and form in terms of which a complaint must be submitted in terms of section

79;(i) the Regulator acting as conciliator in relation to any interference with the protection of

personal information as referred to in section 81(2) (a) ; (j) the notification of the parties concerned of an investigation to be conducted as referred to

in section 84;(k) the settlement of complaints as referred to in section 85;(l) the manner in which an assessment of the processing of personal information will be

made as referred to in section 94(1); and(m) the manner in terms of which the parties concerned must be informed of the

developments during and result of an investigation as referred to in section 97.(3) Regulations made in terms of subsection (2) may, in respect of any

contravention thereof or failure to comply therewith, prescribe as a penalty a fine or imprisonment for a period not exceeding 12 months.

Procedure for making regulations

115. (1) The Minister, before making or amending any regulations referred to in section 114(1), must publish a notice in the Gazette ─ (a) setting out that draft regulations have been developed;(b) specifying where a copy of the draft regulations may be obtained; and(c) inviting written comments to be submitted on the proposed regulations within a specified

period.(2) After complying with subsection (1) and after consultation with the

Regulator in respect of the draft regulations referred to in section 113, the Minister may─(a) amend the draft regulations; and(b) subject to subsection (5), publish the regulations in final form in the Gazette .

(3) The Regulator, before making or amending any regulations referred to in section 114(2), must publish a notice in the Gazette ─ (a) setting out that draft regulations have been developed;(b) specifying where a copy of the draft regulations may be obtained; and(c) inviting written comments to be submitted on the proposed regulations within a specified

period.(4) After complying with subsection (3), the Regulator may─

(a) amend the draft regulations; and(b) subject to subsection (5), publish the regulations in final form in the Gazette .

(5) (a) The Minister or the Regulator, as the case may be, must, within 30 days before publication of the regulations in the Gazette , as referred to in subsection (2) (b) or (4) (b) , table them in Parliament.

63


(b) Subsection (1) or (3) does not apply in respect of any amendment of the regulations as a result of the process referred to in paragraph (a) .

Transitional arrangements

[103] 116. (1) Processing which [is taking place] has already commenced on the date when this Act comes into force and does not conform to it must, within one year of such date, be made to conform and thereafter be notified to the Regulator in terms of section 17(1).

(2) The period of one year referred to in subsection (1) may be extended by the Minister, on request or of his or her own accord and after consultation with the Regulator, by notice in the Gazette [to a maximum of three years] in respect of different class or classes of information and bodies by an additional period which period may not exceed three years //Option: five years .

(3) Section [56(2)] 63(2) does not apply to processing referred to in section [55] 62, which is taking place on the date of commencement of this Act, [or as the case may be, of the legislation, regulations or codes of conduct applying to such processing] until the Regulator determines otherwise by notice in Gazette.113

Short title and commencement

[104] 117. (1) This Act is called the Protection of Personal Information Act, [2009]

2012, and commences on a date determined by the President by proclamation in the Gazette.(2) Different dates of commencement may be determined in respect of different

provisions of this Act or in respect of different class or classes of information and bodies.

113 Proposed redraft of clause aims to clarify meaning thereof.

64


SCHEDULE

LAWS [REPEALED OR] AMENDED BY SECTION [101] 112

No. and year of

law

Short title Extent of repeal or amendment

Act 2 of 2000 Promotion of Access to

Information Act, 2000

1. The amendment of section 1 by the─ (a) omission of the definition of “Human

Rights Commission”;(b) substitution for the definition of

“personal information” of the following definition:" 'personal information' means information relating to an identifiable natural person, including, but not limited to—(a) information relating to the race,

gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;


(c) any identifying number, symbol, email address, physical address, telephone number or other particular assigned to the person;

(d) the blood type or any other biometric information of the person;

(e) the personal opinions, views or preferences of the person;

(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

(g) the views or opinions of another individual about the person; and

(h) the name of the person if it appears with other personal

65


No. and year of

law


information relating to the person or if the disclosure of the name itself would reveal information about the person,

but excludes information about an individual who has been dead for more than 20 years;";

(c) omission of the definition of “personal requester”; and

(d) insertion after the definition of “record” of the following definition:" 'Regulator’ means the Information Regulator established in terms of section 38 of the Protection of Personal Information Act, 2012;".

2. The amendment of section 11 by the substitution for subsection (2) of the following subsection:

"(2) A request contemplated in subsection (1) [includes] excludes a request for access to a record containing personal information about the requester.".

3. The amendment of section 21 by the substitution of paragraphs (a) and (b) of the following paragraphs:“(a) the periods for lodging an internal

appeal, a complaint to the Regulator, an application with a court or an appeal against a decision of that court have expired; or

(b) that internal appeal, complaint to the Regulator, application or appeal against a decision of that court or other legal proceedings in connection with the request has been finally determined,”.

4. The amendment of section 22 by the substitution for—(a) subsection (1) of the following

subsection:"(1) The information officer

of a public body to whom a request for access is made, must by notice require the requester[, other than a personal

66


No. and year of

law


requester,] to pay the prescribed request fee (if any), before further processing the request.”; (b) subsection (2) of the following

subsection:"(2) If—

(a) the search for a record of a public body in respect of which a request for access by a requester[, other than a personal requester,] has been made; and

(b) the preparation of the record for disclosure (including any arrangements contemplated in section 29(2)(a) and (b)(i) and (ii)(aa)),

would, in the opinion of the information officer of the body, require more than the hours prescribed for this purpose for requesters, the information officer must by notice require the requester[, other than a personal requester,] to pay as a deposit the prescribed portion (being not more than one third) of the access fee which would be payable if the request is granted."; and(c) for subsection (3) of the following

subsection:“(3) The notice referred to in

subsection (1) or (2) must state─(a) the amount of the deposit payable in

terms of subsection (2), if applicable;(b) that the requester may lodge an

internal appeal, a complaint to the Regulator or an application with a court, as the case may be, against the tender or payment of the request fee in terms of subsection (1), or the tender or payment of a deposit in terms of subsection (2), as the case may be; and

(c) the procedure (including the period) for lodging the internal appeal, complaint to the Regulator or application, as the case may.”.

5. The amendment of section 25 by the─(a) substitution for paragraph (c) of

67


No. and year of

law


subsection (2) of the following paragraph:

“(c) that the requester may lodge an internal appeal, a complaint to the Regulator or an application with a court, as the case may be, against the access fee to be paid or the form of access granted, and the procedure (including the period) for lodging the internal appeal, complaint to the Regulator or application, as the case may be.”; and

(b) substitution for paragraph (c) of subsection (3) of the following paragraph:

“(c) state that the requester may lodge an internal appeal, complaint to the Regulator or an application with a court, as the case may be, against the refusal of the request, and the procedure (including the period) for lodging the internal appeal, complaint to the Regulator or application, as the case may be.”.

6. The amendment of section 26 by the substitution for paragraph (c) of subsection (3) of the following paragraph:“(c) that the requester may lodge an

internal appeal, complaint to the Regulator or an application with a court, as the case may be, against the extension, and the procedure (including the period) for lodging the internal appeal, complaint to the Regulator or application, as the case may be.”.

7. The amendment of section 29 by the substitution of subsection (9) for the following subsection:

“(9) If an internal appeal, complaint to the Regulator or an application to a court, as the case may be, is lodged against the granting of a request for access to a record, access to the record may be given only when the decision to grant the request is finally

68


No. and year of

law


confirmed.”.

8. The amendment of section 49 by the─(a) substitution of paragraphs (b) and (c)

of subsection (3) for the following paragraphs:

“(b) that the third party may lodge an internal appeal, complaint to the Regulator or an application, as the case may be, against the decision within 30 days after notice is given, and the procedure for lodging the internal appeal, complaint to the Regulator or application, as the case may be; and

(c) that the requester will be given access to the record after the expiry of the applicable period contemplated in paragraph (b), unless such internal appeal, complaint to the Regulator or application with a court is lodged within that period.”; and

(b) substitution of subsection (4) of the following subsection:“(4) If the information officer of a

public body decides in terms of subsection (1) to grant the request for access concerned, he or she must give the requester access to the record concerned after the expiry of 30 days after notice is given in terms of subsection (1)(b), unless an internal appeal, complaint to the Regulator or an application with a court, as the case may be, is lodged against the decision within that period.”.

[6.] 9. The amendment of section 54 by the substitution for—(a) subsection (1) of the following

subsection:"(1) The head of a private

body to whom a request for access is made must by notice require the requester[, other than a personal requester,] to pay the prescribed request fee (if any), before further processing the request.”; [and] (b) subsection (2) of the following

subsection:"(2) If—

(a) the search for a record of a private body in respect of which a request for access by a requester [, other than a personal requester,] has been made;

69


No. and year of

law


and(b) the preparation of the record for

disclosure (including any arrangements contemplated in section 29(2)(a) and (b)(i) and (ii)(aa)),

would, in the opinion of the head of the private body concerned, require more than the hours prescribed for this purpose for requesters, the head must by notice require the requester[, other than a personal requester,] to pay as a deposit the prescribed portion (being not more than one third) of the access fee which would be payable if the request is granted."; and(c) paragraphs (b) and (c) of subsection

(3) of the following paragraphs:“(b) that the requester may lodge a

complaint to the Regulator or an application with a court against the tender or payment of the request fee in terms of subsection (1), or the tender or payment of a deposit in terms of subsection (2), as the case may be; and

(c) the procedure (including the period) for lodging the complaint to the Regulator or the application.”.

10. The amendment of section 56 by the─(a) substitution for paragraph (c) of

subsection (2) of the following paragraph:

“(c) that the requester may lodge a complaint to the Regulator or an application with a court against the access fee to be paid or the form of access granted, and the procedure, including the period allowed, for lodging a complaint to the Regulator or the application.; and

(b) substitution for paragraph (c) of subsection (3) of the following paragraph:

“(c) state that the requester may lodge a complaint to the Regulator an application with a court against the refusal of the request, and the procedure (including the period) for lodging a complaint to the Regulator or the application.”.

11. The amendment of section 57

70


No. and year of

law


by the substitution for paragraph (c) of subsection (3) of the following paragraph:“(c) that the requester may lodge a

complaint to the Regulator or an application with a court against the extension, and the procedure (including the period) for lodging the application.”.

12. The amendment of section 73 by the─

(a) substitution for paragraphs (b) and (c) of subsection (3) of the following paragraphs:

“(b) that the third party may lodge a complaint to the Regulator or an application with a court against the decision of the head within 30 days after notice is given, and the procedure for lodging the complaint to the Regulator or the application; and

(c) that the requester will be given access to the record after the expiry of the applicable period contemplated in paragraph (b), unless a complaint to the Regulator or an application with a court is lodged within that period.”; and

(b) substitution of subsection (4) of the following subsection:“(4) If the head of the private body

decides in terms of subsection (1) to grant the request for access concerned, he or she must give the requester access to the record concerned after the expiry of 30 days after notice is given in terms of subsection (1)(b), unless a complaint to the Regulator or an application with a court is lodged against the decision within that period.”.

13. The amendment of Chapter 1 of Part 4 by the insertion after section 77 of the following sections:

“CHAPTER 1ACOMPLAINTS TO REGULATOR

Complaints77A . (1) A requester–

(a) aggrieved by a decision of the information officer of a public body–(i) to refuse a request for access;

or

71


No. and year of

law


(ii) taken in terms of section 22, 26(1) or 29(3);or

(b) aggrieved by a decision of the head of a private body–(i) to refuse a request for access;

or(ii) taken in terms of section 54,

57(1) or 60,may, within 180 days of the decision, submit a complaint, alleging that the decision was not in compliance with this Act, to the Regulator in the prescribed manner and form for appropriate relief.

(2) A third party─(a) aggrieved by a decision of the

information officer of a public body to grant a request for access; or

(b) aggrieved by a decision of the head of a private body in relation to a request for access to a record of that body,

may within 180 days of the decision, submit a complaint, alleging that the decision was not in compliance with this Act, to the Regulator in the prescribed manner and form for appropriate relief.

Modes of complaints to Regulator77B. (1) A complaint to the

Regulator must be made in writing.(2) The Regulator must

give such reasonable assistance as is necessary in the circumstances to enable a person, who wishes to make a complaint to the Regulator, to put the complaint in writing.

Action on receipt of complaint77C. (1) The Regulator, after

receipt of a complaint made in terms of section 77A, must –(a) investigate the complaint in the

prescribed manner;(b) refer the complaint to the Enforcement

Committee established in terms of section 49 of the Protection of Personal Information Act, 2012; or

(c) decide, in accordance with section 77D, to take no action on the complaint or, as the case may be, require no further action in respect of the complaint.

(2) During the investigation the Regulator may─(a) act, where appropriate, as conciliator

72


No. and year of

law


in relation to such complaint in the prescribed manner; or

(b) take such further action as is contemplated by this Chapter.

(3) The Regulator must, as soon as is reasonably practicable, after receipt of a complaint, advise the complainant and the information officer or head of a private body, as the case may be, to whom the complaint relates of the course of action that the Regulator proposes to adopt under subsection (1).

Regulator may decide to take no action on complaint

77D. (1) The Regulator, after investigating a complaint received in terms of section 77A, may decide to take no action or, as the case may be, require no further action in respect of the complaint if, in the Regulator’s opinion—(a) the complaint has not been submitted

within the period referred to in section 77A(2) and there are no reasonable grounds to condone the late submission;

(b) the complaint is frivolous or vexatious or is not made in good faith; or

(c) it appears to the Regulator that, having regard to all the circumstances of the case, any further action is unnecessary or inappropriate .

(2) In any case where the Regulator decides to take no action, or no further action, on a complaint, the Regulator must inform the complainant of that decision and the reasons for it.

Pre-investigation proceedings of Regulator

77E. Before proceeding to investigate any matter in terms of this Chapter, the Regulator must, in the prescribed manner, inform—(a) the complainant of the Regulator’s

intention to conduct the investigation; and

(b) the information officer of the public body or the head of the private body, as the case may be, to whom the complaint relates of the—(i) details of the complaint; and(ii) right of the information officer

73


No. and year of

law


or the head to submit to the Regulator, within a reasonable period, a written response in relation to the complaint.

Settlement of complaints77F. If it appears from a complaint,

or any written response made in relation to a complaint under section 77E (b) (ii), that it may be possible to secure a settlement between the parties concerned, the Regulator may, without investigating the complaint or, as the case may be, investigating the complaint further, in the prescribed manner, use its best endeavours to secure such a settlement.

Investigation proceedings of Regulator77G. (1) For the purposes of the

investigation of a complaint the Regulator has powers similar to those of the High Court in terms of section 80 relating to the disclosure of records to it and non-disclosure of records by it.

(2) Section 86 of the Protection of Personal Information Act applies to the investigation of complaints in terms of this Chapter.

Assessment114

77H. (1) The Regulator, on its own initiative, or at the request by or on behalf of an information officer or head of a private body or any other person may make an assessment in the manner prescribed of whether a public or private body generally complies with the provisions of this Act insofar as its policies and implementation procedures are concerned.

(2) The Regulator must make the assessment if it appears to be appropriate, unless, where the assessment is made on request, the Regulator has not been supplied with such information as it may reasonably require in order to—(a) satisfy itself as to the identity of the

person making the request; and(b) enable it to identify the private or

public body concerned.(3) The matters to which

the Regulator may have regard in determining

114 Assessments, if approved as a function to be exercised by the Regulator in terms of PAIA, could be introduced on a voluntary basis.

74


No. and year of

law


whether it is appropriate to make an assessment include—(a) the extent to which the request

appears to it to raise a matter of substance;

(b) determining that the request is not frivolous or vexatious; and

(c) whether or not the person making the request is entitled to make an application in terms of this Act in respect of the information in question.

(4) If the Regulator has received a request under this section it must notify the person referred to in subsection (1)—(a) whether it has made an assessment

as a result of the request; and(b) of any view formed or action taken as

a result of the request.

Information Notice77I. (1) For the purposes of the

investigation of a complaint the Regulator may serve the information officer or head of a private body with an information notice requiring said party to furnish the Regulator, within a specified period, in a form specified in the notice, with the information specified in the notice.

(2) An information notice in terms of sub-section (1) must be accompanied by – (a) reasons for the issuing of the notice;

and (b) particulars of the right to appeal

conferred by section 78(4).(3) Section 95(3) to (9) of

the Protection of Personal Information Act, 2012, applies to the serving of an information notice in terms of this Chapter.

Recommendation Notice77J. (1) The Regulator , after

having considered the recommendation of the Enforcement Committee , may serve the information officer of a public body or the head of a private body with a recommendation notice–(a) confirming, amending or setting aside

the decision which is the subject of the complaint; or

(b) requiring the said officer or head to take such action or to refrain from

75


No. and year of

law


taking such action as the Regulator has specified in the notice.

(2) A notice in terms of subsection (1) must be accompanied by –(a) reasons for the notice; (b) particulars of the right to make an

application to court conferred by Chapter 2 of this Part.

(3) Section 98(3) to (5) of the Protection of Personal Information Act, 2012, regarding enforcement notices applies with the necessary changes to the serving of a recommendation notice in terms of this Chapter.

(4) A copy of the notice referred to in subsection (1) that has been certified by the Regulator is, for purposes of the application referred to in section 78, conclusive proof of the contents of the recommendation notice that has been served by the Regulator.

Option:Enforcement Notice

77J. (1) The Regulator, after having considered the recommendation of the Enforcement Committee , may serve the information officer of a public body or the head of a private body with an enforcement notice –(a) confirming, amending or setting aside

the decision which is the subject of the complaint; or

(b) requiring the said officer or head to take such action or to refrain from taking such action as the Regulator has specified in the notice.

(2) A notice in terms of subsection (1) must be accompanied by –(a) reasons for the notice; (b) particulars of the right to make an

application to court conferred by Chapter 2 of this Part.

(3) Section 98(3) to (5) of the Protection of Personal Information Act, 2012, applies, with the necessary changes, to the serving of an enforcement notice in terms of this Chapter.

(4) A copy of the notice referred to in subsection (1) that has been certified by the Regulator is, for purposes of the application referred to in section 78, conclusive proof of the contents of the

76


No. and year of

law


enforcement notice that has been served by the Regulator.

Non-compliance with Enforcement Notice77K. An information officer of a

public body or head of a private body who refuses to comply with an enforcement notice referred to in section 77J, is guilty of an offence and liable upon conviction to fine or to imprisonment for a period not exceeding three years or to both such a fine and such imprisonment.

CHAPTER 2APPLICATIONS TO COURT (ss 78-82)

Applications regarding decisions of information officers or relevant authorities of public bodies or heads of private bodies or Regulator

78. (1) [A requester or third party referred to in section 74 may only apply to a court for appropriate relief in terms of section 82 after that requester or third party has exhausted the internal appeal procedure against a decision of the information officer of a public body provided for in section 74.

(2)] A requester─ (a) that has been unsuccessful in an

internal appeal to the relevant authority of a public body;

(b) aggrieved by a decision of the relevant authority of a public body to disallow the late lodging of an internal appeal in terms of section 75(2);

(c) aggrieved by a decision of the information officer of a public body [referred to in paragraph (b) of the definition of 'public body' in section 1]─(i) to refuse a request for access;

or (ii) taken in terms of section 22,

26(1) or 29(3); [or] (d) aggrieved by a decision of the head of

a private body─(i) to refuse a request for access;

or(ii) taken in terms of section 54,

57(1) or 60[,] ;(e) aggrieved by a decision of the

Regulator in terms of section 77D; or

77


No. and year of

law


(f) aggrieved by a decision of the information officer of a public body or head of a private body not to comply with a recommendation notice that has been issued in terms of section 77J,

may, by way of an application, within [30] 180 days apply to a court for appropriate relief in terms of section 82.

[(3)] (2) A third party─(a) that has been unsuccessful in an

internal appeal to the relevant authority of a public body;

(b) aggrieved by a decision of the information officer of a public body [referred to in paragraph (b) of the definition of 'public body' in section 1] to grant a request for access; [or]

(c) aggrieved by a decision of the head of a private body in relation to a request for access to a record of that body,

(d) aggrieved by a decision of the Regulator in terms of section 77D; or

(e) aggrieved by a decision of the information officer of a public body or head of a private body in relation to a recommendation notice 115 that has been issued in terms of section 77J,

may, by way of an application, within [30] 180 days apply to a court for appropriate relief in terms of section 82.

(4) An information officer of a public body or the head of a private body, as the case may be, aggrieved by a decision of the Regulator in terms of section 77I or 77J may, by way of an application, within 180 days apply to a court for appropriate relief in terms of section 82.

[6.] 14. The amendment of the heading of Part 5 by substituting the words "Human Rights Commission" with the words "Information Regulator".

[7.] 15. The amendment of sections [1,] 10(2) and (3), 32, 83, 84 and 85 by substituting the words "Human Rights Commission" wherever they occur, with the word "Information Regulator".

115 If the option under the proposed new clause 77J is accepted then reference to “recommendation notice” will have to be replaced with “enforcement notice”.

78


No. and year of

law


[8.] 16. The repeal of section 88.

Option:116

[10] 17. The amendment of section 90 by the substitution for subsections (2) and (3) of the following subsections:

“(2) An information officer who wilfully or in a grossly negligent manner fails to comply with─(a) the provisions of section 14; or(b) an enforcement notice referred to in

section 77J,commits an offence and is liable on conviction to a fine, or to imprisonment for a period not exceeding two years.

(3) A head of a private body who wilfully or in a grossly negligent manner fails to comply with─(a) the provisions of section 51; or(b) an enforcement notice referred to in

section 77J,commits an offence and is liable on conviction to a fine, or to imprisonment for a period not exceeding two years.”.

Act 25 of 2002 Electronic Communications and Transactions Act

1. The amendment of section 1 by the substitution for the definition of “personal information” of the following definition:

" 'personal information' means personal information as defined in section 1 of the Protection of Personal Information Act, 2012 information relating to an identifiable natural person, including, but not limited to—(a) information relating to the race, gender, sex,

pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;


(c) any identifying number, symbol, email address, physical address, telephone number or other particular assigned to the person;

(d) the blood type or any other biometric information of the person;

(e) the personal opinions, views or preferences of the person;

(f) correspondence sent by the person that is implicitly or explicitly of a private or

116 Option proposed by Dr Oriani-Ambrosini (on 24/2/11). See also footnote hereunder dealing with proposed offence that has been included in the option proposed by Ms Smuts.

79


No. and year of

law


confidential nature or further correspondence that would reveal the contents of the original correspondence;

(g) the views or opinions of another individual about the person; and

(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person,

but excludes information about an individual who has been dead for more than 20 years . ".

2. The repeal of sections 45, 50 and

51.

Act 34 of 2005 National Credit Act 1. The amendment of section 55 by the substitution for subsection (2) of the following subsection:

"(2) (a) Before issuing a notice in terms of subsection (1)(a) to a regulated financial institution, the National Credit Regulator must consult with the regulatory authority that issued a licence to that regulated financial institution.

(b) [The information protection provisions as set out in sections] Sections 68, 70(1), (2) (b) to (g) and (i) , (3) and (4) and 72(1), (3) and (5) will be subject to the compliance procedures set out in Chapters 10 and 11 of the Protection of Personal Information Act, 2009.".

2. The amendment of section 68 by the deletion of subsection (2).

3. The amendment of section 136 by the substitution for subsection (1) of the following subsection:

“(1) Any person may, subject to section 55(2) (b) , submit a complaint concerning an alleged contravention of this Act to the National Credit Regulator in the prescribed manner and form.”

4. The amendment of section 137 by the deletion of subparagraph (a) of subsection (1).

80


No. and year of

law


5. The amendment of section 1 by the substitution of the definition of “prohibited conduct” with the following definition:

“‘prohibited conduct’ means any act or omission in contravention of the Act, other than an act or omission that constitutes an interference with the protection of the personal information of any person as specified in section 55(2) (b) or that constitutes an offence under this Act, by –(a) an unregistered person who is

required to be registered to engage in such an act; or

(b) a credit provider, credit bureau or debt counselor;” .

81

POPI 7 Final

Documents

Transcript of POPI 7 Final